Our commitment

The NOVA AVA Service Level Agreement guarantees 99.8% system availability around the clock, excluding maintenance windows, and sets strict guidelines for data security and GDPR compliance. Support is provided exclusively on three levels, including proactive monitoring, and is available on weekdays from 8:00 a.m. to 5:00 p.m. (4:00 p.m. on Fridays) CET. Incidents are prioritized according to severity, while service and change requests are billed according to time and effort, and the latter do not necessarily have to be approved.

NOVA AVA uses ISO 27001-certified AWS servers in Germany for its SaaS solution, which are GDPR-compliant and encrypt data with AES-256 (at rest) and SSL (in transit). The application has been hardened in accordance with BSI penetration testing and OWASP Top 10 and is additionally protected by AWS Shield and WAF. Regular updates and ClamAV are implemented. It offers configurable password policies, 2FA, SSO, and a comprehensive backup concept. Interfaces such as REST API, GAEB, IFC, Excel, and CSV as well as application-specific certificates are available.

The data processing agreement (DPA) between NOVA BUILDING IT GmbH and the customer regulates the processing of personal data by NOVA on behalf of the customer in accordance with data protection regulations, based on Art. 28 (3) GDPR. It defines obligations, control rights, the use of subcontractors, confidentiality, and technical and organizational measures for data security.

The final report of the penetration test for the NOVA AVA web application, conducted by Secuvera between January 7 and February 13, 2025, certifies that the application has a “very high level of security,” as no vulnerabilities could be identified in the end. The test, a white-box test at the application level, was conducted in a laboratory environment on a virtual Kali Linux machine using tools such as “sqlmap” and “Burp Suite Pro.” The objectives were to identify technical vulnerabilities and review the rights and roles concept, based on the OWASP Testing Guide v4 and the BSI study “Implementation Concept for Penetration Tests.” All vulnerabilities and security issues found during the tests were remedied by the customer during the test and the remediation was verified.