Security & Privacy

Your data security and privacy are our top priorities. Learn how we protect your information and comply with global data protection regulations.

Enterprise-Grade Security

GDPR Compliant

Fully compliant with EU General Data Protection Regulation and other global privacy laws.

End-to-End Encryption

All data is encrypted in transit (TLS 1.3) and at rest (AES-256) for maximum security.

Secure Data Centers

Data stored in SOC 2 Type II certified data centers with 99.99% uptime guarantee.

Regular Audits

Third-party security audits and penetration testing performed quarterly.

Access Controls

Role-based access control, multi-factor authentication, and SSO support.

Data Retention

Configurable data retention policies with automatic deletion after specified periods.

Global Infrastructure

Choose your data residency region to comply with local data sovereignty laws.

API Security

OAuth 2.0, API keys with scope limitations, and rate limiting for all integrations.

GDPR Compliance

Nomi is fully compliant with the EU General Data Protection Regulation (GDPR) and other global privacy laws. We are committed to protecting your data and respecting your privacy rights.

Data Processing Agreements

Standard DPAs available for all customers

Right to Access

Export your data anytime in standard formats

Right to Deletion

Delete your account and data with one click

Data Portability

Transfer your data to other services easily

Breach Notification

72-hour notification in case of data breaches

Your Data Rights

Right to Information: Know what data we collect and how we use it

Right to Access: Request a copy of your personal data

Right to Rectification: Correct inaccurate or incomplete data

Right to Erasure: Request deletion of your personal data

Right to Restriction: Limit how we process your data

Right to Portability: Receive and transfer your data

Right to Object: Object to data processing for certain purposes

Automated Decision-Making: Opt-out of automated profiling

Exercise Your Rights

Data Storage & Infrastructure

Data Encryption

  • In Transit: TLS 1.3 encryption for all data transmission
  • At Rest: AES-256 encryption for stored data
  • Backups: Encrypted daily backups with 30-day retention
  • Key Management: AWS KMS for secure key storage

Data Centers

  • Locations: US (East, West), EU (Frankfurt), Asia (Tokyo)
  • Certification: SOC 2 Type II, ISO 27001 certified facilities
  • Physical Security: 24/7 monitoring, biometric access
  • Uptime: 99.99% SLA with redundant infrastructure

Data Retention

  • Active Data: Stored as long as your account is active
  • Deletion: Permanent deletion within 30 days of request
  • Backups: 30-day rolling backup retention
  • Custom Policies: Enterprise customers can set custom retention

Certifications & Compliance

SOC 2 Type II

Verified controls for security, availability, and confidentiality

Certified

GDPR

General Data Protection Regulation compliant

Compliant

ISO 27001

Information security management certification

In Progress

CCPA

California Consumer Privacy Act compliant

Compliant

Our Privacy Practices

What Data We Collect

We collect only the data necessary to provide our service:

  • Account information (name, email, company details)
  • Customer support messages processed through our platform
  • Company policies and brand guidelines you upload
  • Usage data and analytics to improve our service
  • Integration credentials (encrypted and stored securely)

How We Use Your Data

  • To provide AI-powered reply suggestions for your customer messages
  • To train custom AI models specific to your brand voice (opt-in)
  • To improve our service and develop new features
  • To provide customer support and respond to inquiries
  • To send important service updates and security notifications

What We Don't Do

  • We never sell your data to third parties
  • We never use your data to train public AI models
  • We never share your data with advertisers
  • We never access your data without explicit permission
  • We never retain data longer than necessary

Third-Party Services

We use carefully vetted third-party services that meet our security standards:

  • AWS (hosting and infrastructure)
  • OpenAI (AI processing - data not used for model training)
  • Stripe (payment processing)
  • SendGrid (email notifications)

All third-party services are bound by strict data processing agreements.

Security Best Practices for Users

Account Security

  • Use strong, unique passwords (12+ characters)
  • Enable two-factor authentication (2FA)
  • Review active sessions regularly
  • Never share your credentials
  • Log out from shared devices

API Security

  • Rotate API keys regularly
  • Use environment variables for keys
  • Implement IP whitelisting when possible
  • Monitor API usage for anomalies
  • Use limited-scope keys where possible

Questions About Security or Privacy?

Our security and privacy teams are here to help address any concerns.

Contact Security Teamprivacy@nomi.ai

For vulnerability reports, please email security@nomi.ai