Novaworks, Inc. | Total Workforce Management
Novaworks, Inc.
Total Workforce Management
Privacy Policy
Effective Date | June 9, 2025 |
Version | 2.0 v070226 |
Company | Novaworks, Inc. |
Incorporation | Delaware corporation, operated from California |
Address | 218 Tourney Loop, Los Gatos, California 95030 |
Privacy contact | privacy@novaworks.ai |
DPO (EU/UK) | dpo@novaworks.ai |
Website | www.novaworks.ai/legal/privacy |
1. Introduction
Novaworks, Inc. is a Delaware corporation with principal operations in Los Gatos, California. We provide the Total Workforce Management platform, an AI-native Human Capital Management (HCM) operating system built natively on ServiceNow, powered by AWS Bedrock, designed to unify people, workflows, and AI agents across enterprise workforces (the Services).
This Privacy Policy describes how we collect, use, store, share, and protect personal data in connection with the Services and www.novaworks.ai. It applies to:
Visitors to www.novaworks.ai
Administrators, HR professionals, and authorized users of the platform
Employees, contractors, and contingent workers whose data is managed through the platform on behalf of enterprise customers (“End Users”)
Prospective customers and business contacts
Novaworks as a data processor
For enterprise customers, Novaworks acts as a data processor handling personal data on your behalf, under your instructions. Your organization is the data controller. Our Data Processing Agreement (DPA), at www.novaworks.ai/legal/dpa, governs such processing and forms part of the contract between Novaworks and each customer.
2. Information We Collect
2.1 Information you provide
Account and profile data: full name, employee ID, job title, department, employment type, organization name
Authentication data: username, encrypted password, MFA device identifiers
HR and workforce data: compensation, performance records, leave balances, organizational hierarchy, workforce planning data
Onboarding and offboarding data: start/end dates, equipment assignments, access entitlements
Communications: support requests, messages, and correspondence with us
2.2 Data generated through platform use
AI agent interaction data: prompts submitted to AI agents, agent responses, decision outputs, and orchestration logs produced by the HR Concierge layer — stored within your ServiceNow tenant scope
Workflow and event data: task assignments, approvals, business events, decision table evaluations
Access and audit logs: login timestamps, feature usage, data access records, per application scope
Integration metadata: data exchanged with connected enterprise systems via the platform’s REST API layer
2.3 Data collected automatically
Technical data: IP address, browser type and version, operating system, device identifiers
Usage analytics: pages visited, session duration, feature interaction patterns
Cookies and similar technologies: see Section 6
2.4 Sensitive categories of data
Because Total Workforce Management spans the full employee lifecycle, the platform may process special categories of personal data on behalf of customers, including health and disability data (leave management), national identification numbers (payroll and compliance), and immigration or work authorization status (contingent workforce management). Such data is processed only on documented customer instruction with appropriate legal basis. Customers are responsible for ensuring lawful collection from their employees and workers.
3. How We Use Information
We use information to:
Provide, operate, maintain, and secure the Services
Authenticate users and administer accounts and access controls within ServiceNow tenant scopes
Execute workforce management workflows: hiring, onboarding, scheduling, performance management, and offboarding
Route AI agent tasks through the HR Concierge orchestration layer and deliver outputs within your tenanted environment
Provide customer support and respond to inquiries
Monitor for fraud, abuse, security incidents, and unauthorized access
Generate aggregated, anonymized analytics to improve the Services — we do not use identifiable customer or End User data for this purpose
Comply with legal obligations and enforce our Terms of Use
No AI model training on your data
Novaworks does not use customer data or End User personal data to train AI models. AI inference is provided via AWS Bedrock under terms that prohibit Amazon from using your data to train foundation models. This commitment is also stated in our Data Processing Agreement.
4. How We Disclose Information
We do not sell personal data. We may disclose information in the following circumstances:
4.1 To service providers and sub-processors
We engage sub-processors that help us run the Services. Current sub-processors include:
Amazon Web Services (AWS) — cloud hosting, storage (S3), database (RDS), and AI inference (AWS Bedrock). AWS does not use your data to train foundation models.
ServiceNow, Inc. — platform layer: ACLs, roles, workflows, REST APIs, decision tables, and per-tenant AI agent transaction storage.
A complete, current sub-processor list is maintained at www.novaworks.ai/legal/sub-processors. Customers receive 30 days’ advance notice before any new sub-processor is added.
4.2 For legal reasons
To comply with applicable law, valid legal process, or a request from a government authority. We will notify affected customers where legally permitted.
4.3 To protect rights and safety
To investigate or prevent fraud, abuse, unauthorized access, or security incidents involving the Services or other customers.
4.4 Business transfers
In connection with a merger, acquisition, financing, or sale of assets, personal data may transfer to the acquiring entity. We will provide reasonable notice and ensure equivalent protections continue.
5. AI Agents and Automated Processing
5.1 How AI agents handle personal data
The platform uses AI agents to automate and assist with workforce management tasks. Each agent operates within a defined ServiceNow application scope, with scoped ACLs and role-based access controls enforcing tenant isolation. Agent transactions — including prompts and input metadata — are logged within the customer’s ServiceNow tenant and are accessible to Customer administrators.
The HR Concierge orchestration layer coordinates specialized agents. All interactions are fully auditable within your tenant.
5.2 Advisory outputs — human review required
AI agents may assist with decisions including candidate screening, workforce scheduling, performance review summaries, and offboarding task generation. These are advisory outputs. Novaworks does not make fully automated decisions producing legal or similarly significant effects on individuals without human review in the loop. Customers are responsible for ensuring human oversight before acting on any AI-generated recommendation.
5.3 Right to explanation and human review
End Users have the right to request an explanation of any AI-assisted recommendation affecting them, and to request that a qualified human review any AI-generated output related to a significant employment decision. Requests should be directed to your employer’s HR administrator or to privacy@novaworks.ai.
6. Cookies and Similar Technologies
Our website (www.novaworks.ai) uses cookies for essential functionality, security, and analytics. The platform itself uses session cookies for authentication; it does not use third-party advertising cookies. You can control cookies through your browser settings, though disabling certain cookies may affect functionality. Our full Cookie Policy is at www.novaworks.ai/legal/cookies.
7. Data Retention
We retain personal data for the duration of your subscription and for legally required periods thereafter:
Active workforce data— Duration of subscription + 90 days post-termination for export
AI agent transaction logs— 90 days within the ServiceNow tenant (configurable per customer policy)
Security and audit logs— Minimum 12 months; high-sensitivity logs 24 months
Deleted account data— Purged within 30 days of a verified deletion request
Customers may request early deletion at any time by contacting privacy@novaworks.ai. Requests are processed within 30 days.
8. Security
We maintain reasonable administrative, technical, and physical safeguards designed to protect information, including:
TLS 1.2+ encryption for all data in transit; AES-256 encryption for data at rest
Multi-factor authentication required for all administrative and production access
Multi-tenant data isolation enforced via ServiceNow ACLs and scoped application architecture
Principle of least privilege access controls, reviewed quarterly
Annual third-party penetration testing and weekly automated vulnerability scanning
SOC 2 Type 2 certification (in progress) — reports available to enterprise customers under NDA
24-hour breach notification to affected customers upon confirmed Security Incident
No system is 100% secure. If you believe a Security Incident has occurred, contact security@novaworks.ai immediately.
9. Your Rights and Choices
Depending on your location, you may have the following rights with respect to personal data we hold about you:
Access— Request a copy of the personal data we hold about you
Correction— Request correction of inaccurate or incomplete data
Deletion / Erasure— Request deletion, subject to legal retention obligations
Restriction— Request we limit processing in certain circumstances
Portability— Receive your data in a structured, machine-readable format
Objection— Object to processing based on legitimate interests
Explanation (AI)— Request explanation of any AI-assisted decision affecting you
Human review (AI)— Request human review of any significant AI-generated recommendation
Withdraw consent— Withdraw consent at any time where processing is consent-based
End Users of enterprise customers should first direct rights requests to their employer’s HR administrator. Direct requests to Novaworks may be submitted to privacy@novaworks.ai. We respond within 30 days (extendable to 60 days for complex requests with prior notice).
California residents have additional rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of the sale or sharing of personal information. We do not sell personal information. To submit a request, contact privacy@novaworks.ai or visit www.novaworks.ai/legal/privacy.
10. International Data Transfers
Novaworks operates from California with infrastructure primarily in the United States (AWS us-east-1). When personal data is transferred across borders, we ensure appropriate safeguards:
EU/EEA transfers: Standard Contractual Clauses (SCCs) per Commission Decision 2021/914, incorporated into our DPA (www.novaworks.ai/legal/dpa).
UK transfers: UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs.
India: Compliance with the Digital Personal Data Protection Act, 2023 (DPDPA) as applicable rules come into force.
Other jurisdictions: We cooperate with customers to implement any additional required safeguards.
11. Children
The Services are designed for enterprise use and are not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child’s data has been submitted, contact privacy@novaworks.ai immediately.
12. Changes to This Policy
We may update this Privacy Policy from time to time by posting an updated version and changing the Effective Date. We will notify customers of material changes via email and in-platform notice at least 30 days before they take effect. Continued use of the Services after the effective date constitutes acceptance.
13. Contact
General / privacy requests— privacy@novaworks.ai
Security incidents— security@novaworks.ai
EU/UK Data Protection Officer— dpo@novaworks.ai
Mailing address— 218 Tourney Loop, Los Gatos, California 95030
Website— www.novaworks.ai/legal/privacy
Response SLA— Acknowledgment within 48 hours; substantive response within 30 days
EU/EEA residents who believe we have not adequately addressed a concern may lodge a complaint with their local supervisory authority (edpb.europa.eu/about-edpb/about-edpb/members_en). California residents may contact the California Privacy Protection Agency (cppa.ca.gov).