Your business data, your rules.
Noematic is built to be the system of record for real businesses. That means tenant isolation, encryption, audit trails, AI guardrails, and a clear vulnerability disclosure process — designed in from day one.
How we protect your data
Eight pillars we hold ourselves to.
Tenant-isolated data
Every account is its own tenant. Every database query, MCP tool call, and IDE session is scoped to that tenant. Cross-tenant access is structurally prevented in the data layer, not just in the UI.
Encryption in transit and at rest
All traffic uses HTTPS with HSTS preload. Data at rest is encrypted by our managed Postgres provider (Neon). Secrets, API keys, and webhook tokens are stored encrypted and never logged.
Strong authentication
Authentication uses NextAuth with secure, HTTP-only session cookies and CSRF protection. Passkey (WebAuthn) and TOTP MFA options are available. Sessions expire automatically.
Full audit trail
Every action your AI takes — invoices sent, contracts signed, automations fired — is recorded with who, what, when, and why. You can review the full audit log inside your account at any time.
AI guardrails
The model can only call tools we explicitly expose, only on your tenant. It cannot run code, make arbitrary HTTP calls, or access another customer's data. Sensitive actions can require human-in-the-loop approval.
Privacy-first telemetry
We collect the minimum we need to operate. We don't sell your data. We don't train shared models on your business data. You can export everything and delete your account at any time.
Hardened infrastructure
Strict Content-Security-Policy, X-Frame-Options DENY, frame-ancestors 'none', Permissions-Policy lockdown, immutable cache for static assets, and an explicit allowlist for third-party scripts.
Responsible disclosure
Found a vulnerability? Email security@noematic.io. We acknowledge reports within one business day, do not pursue good-faith researchers, and credit disclosures with consent.
Data handling practices
- Where is my data stored?
- Your business data lives in a managed Postgres database (Neon). Files and uploads use Vercel Blob. Both providers offer encryption at rest and SOC 2 compliance through their own certifications.
- Do you train AI models on my data?
- No. Your tenant data is not used to train shared or third-party models. When you use the built-in AI chat, the model provider sees only the messages and tool results from your session, governed by their data-processing terms.
- How does tenant isolation work?
- Every record in our database has a tenant ID. Every authenticated request resolves to a tenant context, and every query filters by that tenant ID at the data layer. MCP tool calls do the same — there is no path for one tenant's AI to read another tenant's data.
- How do I export or delete my data?
- Export is built in: you can download your clients, invoices, documents, and audit log from your account at any time. Account deletion permanently removes your tenant data after a short retention window for backups.
- What happens if a third-party integration is compromised?
- Integration credentials are stored encrypted, scoped per tenant, and revocable from your account. If a provider issues a security advisory, we rotate affected credentials and notify impacted accounts.
- Do you offer a DPA or BAA?
- We offer a Data Processing Addendum to customers who need one for GDPR/UK GDPR compliance. Email legal@noematic.io. We do not currently offer a HIPAA BAA; do not store PHI in Noematic.
Found a security issue?
Please report it to security@noematic.io. We respond within one business day, do not pursue good-faith researchers, and credit disclosures with your consent.
For our machine-readable disclosure policy see /.well-known/security.txt.