Security & Trust
Built for enterprise. Trusted by clients.
Your operational data is sensitive. Every decision we made in building Nuromi was made with that in mind, privacy by design, not privacy by policy. Here is exactly how your data is protected.
Your data stays in your region
Nuromi is hosted on regional infrastructure. For Australian customers that's Supabase Sydney (AWS ap-southeast-2) and Vercel Sydney edge. Records, logs and compliance documents never leave your region. Built to align with the Australian Privacy Act 1988 and the Australian Privacy Principles from day one. US, UK and EU residency available for international customers.
End-to-end encryption
All data in transit is protected with TLS 1.3. All data at rest is encrypted with AES-256. This applies to every piece of information Nuromi handles: financial records, attendance, inspection scores, staff compliance status and incident data.
Data minimisation architecture
When the AI analyses your business, it never receives raw records. A server-side aggregation layer first reduces your data to anonymised totals, averages, and trends. Only that aggregated context crosses the boundary to the AI. No employee names, no individual transaction records, no personally identifiable information. This is an architectural constraint, not a policy.
Your data is never used to train AI
Nuromi's insights are powered by Anthropic's Claude API under enterprise terms with zero data retention. Your data is never stored by the model, never used to train public AI, and Anthropic cannot access it. Both protections, zero retention and no training, apply simultaneously.
Complete data isolation
Your business is yours alone. Database-level Row-Level Security makes it architecturally impossible for one organisation's data to appear in another's view. If you run client portals, each of your clients sees only their own data, never each other's, regardless of how permissions are configured.
Granular role-based access
You control who sees what. Executives, managers and frontline stakeholders each get different access levels. Dashboard views, data exports and AI reports are all permission-controlled and scoped to the roles you approve, enforced at the database level, not just hidden in the interface.
Passwordless authentication
There are no passwords in Nuromi. Accounts are accessed via a one-time secure magic link sent to your inbox. No passwords to steal, reuse, or phish. Employees never set a password and never reuse one from another service.
Credential vault & zero standing access
Every OAuth integration token (Xero, Deputy, Salesforce, and all others) is stored in Supabase Vault: a separately encrypted secrets store, never in application code or environment variables. No Nuromi team member has standing access to production customer data. Any access is time-limited, approved, and fully logged.
Full audit trail
Every login, data access and AI-generated report is logged with timestamp, user identity and action taken. You have full visibility into how your platform is being used, and audit-ready records are available on request. In the event of a confirmed breach, affected customers are notified within 72 hours as required by the Australian Privacy Act 1988 and GDPR.
No vendor lock-in
Your data is exportable in standard formats at any time. If you ever want a full extract (records, attendance, compliance logs) you get it immediately in CSV or JSON. Payment data is handled exclusively by Stripe (PCI DSS Level 1); Nuromi never stores or processes card numbers.
Security questions from your IT or compliance team?
We're happy to walk your technical stakeholders through the architecture, complete a security questionnaire, or provide documentation for procurement and due diligence.
Subprocessors: Supabase (AU, SOC 2 Type II) · Anthropic (zero retention) · Stripe (PCI DSS Level 1) · Vercel · Nango · Resend