Security

Built for operators who can’t afford a leak.

Nicole runs on infrastructure designed for tenant isolation, encrypted at rest, with every cross-tenant access logged. Here’s how it works.

Three layers of isolation

Defense in depth.

One layer is a feature. Three layers is a posture. We block cross-tenant access at the application, the database, and in the test suite — every PR.

Application

Every database call goes through a tenantDb(tenantId) wrapper that sets app.current_tenant_id in a Postgres GUC. Async-local storage carries the tenant context across every async boundary.

Database

Postgres Row-Level Security policies on every tenant-scoped table. Policies fail closed when no context is set — a misconfigured query returns zero rows, never another tenant's rows.

Tests

A dedicated isolation test suite runs on every PR. Cross-tenant access attempts are explicit test cases; a regression blocks merge before code lands. We treat tenant isolation as a non-negotiable invariant.

What’s in place

Security highlights.

Authentication

Local, self-hosted. Argon2id passwords. Server-side opaque session tokens with revocation. Optional TOTP MFA.

Encryption

Per-tenant data encryption keys derived from a platform master key. Tokens encrypted before DB write.

Tenant isolation

Postgres Row-Level Security on every tenant-scoped table. Fail-closed when context is unset.

Audit logging

Two-tier append-only logs (tenant and platform). Every action you or we take leaves a trail.

Privacy

US-hosted today. EU residency on the post-beta roadmap. No training on your data.

Operator access

Time-boxed break-glass with required reason. Every cross-tenant read is logged. You can audit us auditing.

Inbound contact gate

Per-tenant contact policy bounces unallowlisted senders before the agent runs. Optional DKIM verification on always-allow domains defends against From-header spoofing. Auto-bounce reply with bot filter.

Subprocessors

Who else touches your data.

Provider	Purpose	Data residency
Supabase	Postgres, Vault	US
Anthropic	Claude (zero-retention)	US
Resend	Email ingress + egress	US
Microsoft Graph	Calendar (delegated)	Customer-selected
Zoom	Meeting create (optional)	US
Vercel	Hosting	US edge
Inngest	Background jobs	US
Axiom + Sentry	Logs + errors	US

Supabase
Postgres, Vault
US
Anthropic
Claude (zero-retention)
US
Resend
Email ingress + egress
US
Microsoft Graph
Calendar (delegated)
Customer-selected
Zoom
Meeting create (optional)
US
Vercel
Hosting
US edge
Inngest
Background jobs
US
Axiom + Sentry
Logs + errors
US

Read the full subprocessor list with DPAs at /subprocessors.

Roadmap

Honest about where we are.

Now

Beta (now)

Internal practices documented; subprocessor list public; data export and delete supported.

SOC 2 Type 1 (post-beta)

Observation period after first paying customers; certification follows.

Future

ISO 27001 + EU residency (v3)

Regional cells, customer-managed keys, formal threat-model review.

Found something? Email us.

We commit to a 1-hour acknowledgment, 90-day responsible disclosure, and named credit if you want it. Send your finding to security@nicoleassist.com.

security@nicoleassist.com

Trust shouldn’t be a roadmap promise.

Beta tenants run with these protections from day one. Connect a calendar, look at the audit log, and decide for yourself.

Request beta access See pricing