Security

Nodus runs on managed infrastructure with encryption at rest and in transit, single-sign-on for the team, row-level isolation between tenants, and centralized monitoring. We’ll publish formal certifications as we earn them.

Nodus is a 100% browser-based web application. There’s nothing to install, no browser extensions to enable, and no privileged permissions required. If your team is on company-managed laptops with software restrictions, Nodus runs without IT intervention.

For corporate networks that allowlist domains, give your IT team this short list of outbound destinations Nodus uses on standard HTTPS port 443:

• nodusos.ai (and all subdomains)
• *.clerk.accounts.dev / *.clerk.com (authentication)
• *.supabase.co (database + storage)
• *.anthropic.com (specialist responses)
• *.composio.dev (third-party tool connections)
• *.vapi.ai (voice, optional)
• *.stripe.com (payments)
• *.posthog.com (product analytics)
• *.sentry.io (error monitoring)

Need a downloadable IT review packet? security@nodusos.ai and we’ll send our subprocessor list, DPA template, and network requirements doc.

Nodus officially supports the latest two major versions of Chrome, Edge, Safari, and Firefox on macOS, Windows, iOS, and Android. Voice features require WebRTC (built into all supported browsers). If your corporate network blocks WebRTC, our inbound phone receptionist is a complete fallback for voice.

Specialist responses are generated by Anthropic’s Claude. Anthropic’s commercial terms — which apply to all Nodus customer data — explicitly state that customer inputs and outputs are not used to train models.

Voice (when enabled) routes through Vapi, which stacks speech-to-text and text-to-speech providers. Vapi’s data-handling terms also exclude training on customer audio.

Third-party tool connections (Gmail, QuickBooks, etc.) route through Composio for OAuth and dispatch. Composio acts as a processor, not a controller; tokens are encrypted at rest and scoped per tenant.

Plaid (when used for bank connections) is a regulated financial data provider. Bank account credentials are never seen by Nodus — the user authenticates directly with their bank through Plaid’s embedded interface.

All application data is stored in US regions. Vercel application hosting, Supabase Postgres, Clerk, Stripe, and Anthropic API calls all run on US infrastructure. We don’t move customer data outside the US.

The application runs on Vercel (US regions). Application data lives in Supabase Postgres, which is hosted on AWS. Backups are managed by Supabase and are encrypted.

• TLS 1.2+ in transit on every public endpoint.
• AES-256 at rest for the application database, file storage, and backups.
• Secrets stored in Vercel and Supabase secret managers, never in source control.

Customer data is partitioned by tenant in Postgres. Row-level security is enabled on every customer table; service-role access is limited to server-side code paths that scope queries by tenant. We review access patterns as we add new features.

User auth is handled by Clerk. Customer admins can require SSO and multi-factor for their team. Internal Nodus access uses single sign-on with mandatory MFA, scoped permissions, and audit logging.

Card data is collected and stored by Stripe (PCI DSS Level 1). We don’t see, store, or transmit raw card numbers.

We use Sentry for error monitoring and Vercel/Supabase platform metrics for uptime and performance. If a security incident affects you, we’ll notify you within 72 hours of confirmation, with what we know and what we’re doing about it.

Continuous database backups with point-in-time recovery, retained for up to 30 days. We test restore procedures regularly.

Subprocessors are listed on the privacy page. We review each one for security posture and contract terms before relying on them.

If you find a security issue, please email security@nodusos.ai with steps to reproduce. Don’t exploit it, don’t share it publicly until we’ve had time to fix, and we’ll acknowledge within two business days.

• SOC 2 Type I — in progress, expected this year
• HIPAA BAA capability — for health & wellness customers
• Per-tenant audit logs — visibility into who used which specialist
• SAML SSO on Pro and Team tiers
• Public status page

We’ll update this page as items ship. If your firm needs any of these to start using Nodus, email us — we prioritize the roadmap based on real customer asks.