Novaworks, Inc. | Total Workforce Management

Privacy Policy

Privacy Policy

Novaworks, Inc.

Total Workforce Management

Privacy Policy

Effective Date

June 9, 2025

Version

2.0 v070226

Company

Novaworks, Inc.

Incorporation

Delaware corporation, operated from California

Address

218 Tourney Loop, Los Gatos, California 95030

Privacy contact

privacy@novaworks.ai

DPO (EU/UK)

dpo@novaworks.ai

Website

www.novaworks.ai/legal/privacy

1. Introduction

Novaworks, Inc. is a Delaware corporation with principal operations in Los Gatos, California. We provide the Total Workforce Management platform, an AI-native Human Capital Management (HCM) operating system built natively on ServiceNow, powered by AWS Bedrock, designed to unify people, workflows, and AI agents across enterprise workforces (the Services).

This Privacy Policy describes how we collect, use, store, share, and protect personal data in connection with the Services and www.novaworks.ai. It applies to:

  • Visitors to www.novaworks.ai

  • Administrators, HR professionals, and authorized users of the platform

  • Employees, contractors, and contingent workers whose data is managed through the platform on behalf of enterprise customers (“End Users”)

  • Prospective customers and business contacts

Novaworks as a data processor

For enterprise customers, Novaworks acts as a data processor handling personal data on your behalf, under your instructions. Your organization is the data controller. Our Data Processing Agreement (DPA), at www.novaworks.ai/legal/dpa, governs such processing and forms part of the contract between Novaworks and each customer.

2. Information We Collect

2.1 Information you provide

  • Account and profile data: full name, employee ID, job title, department, employment type, organization name

  • Authentication data: username, encrypted password, MFA device identifiers

  • HR and workforce data: compensation, performance records, leave balances, organizational hierarchy, workforce planning data

  • Onboarding and offboarding data: start/end dates, equipment assignments, access entitlements

  • Communications: support requests, messages, and correspondence with us

2.2 Data generated through platform use

  • AI agent interaction data: prompts submitted to AI agents, agent responses, decision outputs, and orchestration logs produced by the HR Concierge layer — stored within your ServiceNow tenant scope

  • Workflow and event data: task assignments, approvals, business events, decision table evaluations

  • Access and audit logs: login timestamps, feature usage, data access records, per application scope

  • Integration metadata: data exchanged with connected enterprise systems via the platform’s REST API layer

2.3 Data collected automatically

  • Technical data: IP address, browser type and version, operating system, device identifiers

  • Usage analytics: pages visited, session duration, feature interaction patterns

  • Cookies and similar technologies: see Section 6

2.4 Sensitive categories of data

Because Total Workforce Management spans the full employee lifecycle, the platform may process special categories of personal data on behalf of customers, including health and disability data (leave management), national identification numbers (payroll and compliance), and immigration or work authorization status (contingent workforce management). Such data is processed only on documented customer instruction with appropriate legal basis. Customers are responsible for ensuring lawful collection from their employees and workers.

3. How We Use Information

We use information to:

  • Provide, operate, maintain, and secure the Services

  • Authenticate users and administer accounts and access controls within ServiceNow tenant scopes

  • Execute workforce management workflows: hiring, onboarding, scheduling, performance management, and offboarding

  • Route AI agent tasks through the HR Concierge orchestration layer and deliver outputs within your tenanted environment

  • Provide customer support and respond to inquiries

  • Monitor for fraud, abuse, security incidents, and unauthorized access

  • Generate aggregated, anonymized analytics to improve the Services — we do not use identifiable customer or End User data for this purpose

  • Comply with legal obligations and enforce our Terms of Use

No AI model training on your data

Novaworks does not use customer data or End User personal data to train AI models. AI inference is provided via AWS Bedrock under terms that prohibit Amazon from using your data to train foundation models. This commitment is also stated in our Data Processing Agreement.

4. How We Disclose Information

We do not sell personal data. We may disclose information in the following circumstances:

4.1 To service providers and sub-processors

We engage sub-processors that help us run the Services. Current sub-processors include:

  • Amazon Web Services (AWS) — cloud hosting, storage (S3), database (RDS), and AI inference (AWS Bedrock). AWS does not use your data to train foundation models.

  • ServiceNow, Inc. — platform layer: ACLs, roles, workflows, REST APIs, decision tables, and per-tenant AI agent transaction storage.

A complete, current sub-processor list is maintained at www.novaworks.ai/legal/sub-processors. Customers receive 30 days’ advance notice before any new sub-processor is added.

4.2 For legal reasons

To comply with applicable law, valid legal process, or a request from a government authority. We will notify affected customers where legally permitted.

4.3 To protect rights and safety

To investigate or prevent fraud, abuse, unauthorized access, or security incidents involving the Services or other customers.

4.4 Business transfers

In connection with a merger, acquisition, financing, or sale of assets, personal data may transfer to the acquiring entity. We will provide reasonable notice and ensure equivalent protections continue.

5. AI Agents and Automated Processing

5.1 How AI agents handle personal data

The platform uses AI agents to automate and assist with workforce management tasks. Each agent operates within a defined ServiceNow application scope, with scoped ACLs and role-based access controls enforcing tenant isolation. Agent transactions — including prompts and input metadata — are logged within the customer’s ServiceNow tenant and are accessible to Customer administrators.

The HR Concierge orchestration layer coordinates specialized agents. All interactions are fully auditable within your tenant.

5.2 Advisory outputs — human review required

AI agents may assist with decisions including candidate screening, workforce scheduling, performance review summaries, and offboarding task generation. These are advisory outputs. Novaworks does not make fully automated decisions producing legal or similarly significant effects on individuals without human review in the loop. Customers are responsible for ensuring human oversight before acting on any AI-generated recommendation.

5.3 Right to explanation and human review

End Users have the right to request an explanation of any AI-assisted recommendation affecting them, and to request that a qualified human review any AI-generated output related to a significant employment decision. Requests should be directed to your employer’s HR administrator or to privacy@novaworks.ai.

6. Cookies and Similar Technologies

Our website (www.novaworks.ai) uses cookies for essential functionality, security, and analytics. The platform itself uses session cookies for authentication; it does not use third-party advertising cookies. You can control cookies through your browser settings, though disabling certain cookies may affect functionality. Our full Cookie Policy is at www.novaworks.ai/legal/cookies.

7. Data Retention

We retain personal data for the duration of your subscription and for legally required periods thereafter:

  • Active workforce data— Duration of subscription + 90 days post-termination for export

  • AI agent transaction logs— 90 days within the ServiceNow tenant (configurable per customer policy)

  • Security and audit logs— Minimum 12 months; high-sensitivity logs 24 months

  • Deleted account data— Purged within 30 days of a verified deletion request

Customers may request early deletion at any time by contacting privacy@novaworks.ai. Requests are processed within 30 days.

8. Security

We maintain reasonable administrative, technical, and physical safeguards designed to protect information, including:

  • TLS 1.2+ encryption for all data in transit; AES-256 encryption for data at rest

  • Multi-factor authentication required for all administrative and production access

  • Multi-tenant data isolation enforced via ServiceNow ACLs and scoped application architecture

  • Principle of least privilege access controls, reviewed quarterly

  • Annual third-party penetration testing and weekly automated vulnerability scanning

  • SOC 2 Type 2 certification (in progress) — reports available to enterprise customers under NDA

  • 24-hour breach notification to affected customers upon confirmed Security Incident

No system is 100% secure. If you believe a Security Incident has occurred, contact security@novaworks.ai immediately.

9. Your Rights and Choices

Depending on your location, you may have the following rights with respect to personal data we hold about you:

  • Access— Request a copy of the personal data we hold about you

  • Correction— Request correction of inaccurate or incomplete data

  • Deletion / Erasure— Request deletion, subject to legal retention obligations

  • Restriction— Request we limit processing in certain circumstances

  • Portability— Receive your data in a structured, machine-readable format

  • Objection— Object to processing based on legitimate interests

  • Explanation (AI)— Request explanation of any AI-assisted decision affecting you

  • Human review (AI)— Request human review of any significant AI-generated recommendation

  • Withdraw consent— Withdraw consent at any time where processing is consent-based

End Users of enterprise customers should first direct rights requests to their employer’s HR administrator. Direct requests to Novaworks may be submitted to privacy@novaworks.ai. We respond within 30 days (extendable to 60 days for complex requests with prior notice).

California residents have additional rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of the sale or sharing of personal information. We do not sell personal information. To submit a request, contact privacy@novaworks.ai or visit www.novaworks.ai/legal/privacy.

10. International Data Transfers

Novaworks operates from California with infrastructure primarily in the United States (AWS us-east-1). When personal data is transferred across borders, we ensure appropriate safeguards:

  • EU/EEA transfers: Standard Contractual Clauses (SCCs) per Commission Decision 2021/914, incorporated into our DPA (www.novaworks.ai/legal/dpa).

  • UK transfers: UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs.

  • India: Compliance with the Digital Personal Data Protection Act, 2023 (DPDPA) as applicable rules come into force.

  • Other jurisdictions: We cooperate with customers to implement any additional required safeguards.

11. Children

The Services are designed for enterprise use and are not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child’s data has been submitted, contact privacy@novaworks.ai immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time by posting an updated version and changing the Effective Date. We will notify customers of material changes via email and in-platform notice at least 30 days before they take effect. Continued use of the Services after the effective date constitutes acceptance.

13. Contact

  • General / privacy requests— privacy@novaworks.ai

  • Security incidents— security@novaworks.ai

  • EU/UK Data Protection Officer— dpo@novaworks.ai

  • Mailing address— 218 Tourney Loop, Los Gatos, California 95030

  • Website— www.novaworks.ai/legal/privacy

  • Response SLA— Acknowledgment within 48 hours; substantive response within 30 days

EU/EEA residents who believe we have not adequately addressed a concern may lodge a complaint with their local supervisory authority (edpb.europa.eu/about-edpb/about-edpb/members_en). California residents may contact the California Privacy Protection Agency (cppa.ca.gov).