Skip to content
Logo

Search Documentation

Search through all documentation pages

Security & Privacy

How Nanabase protects your data with bank-grade encryption, privacy-first architecture, and enterprise security practices.

6 min readUpdated Dec 2024

Security & Privacy#

We built Nanabase with security and privacy at its core. Your professional relationships are sensitive data—we treat them that way.

Our Security Principles#

Privacy-First Architecture#

Everything is private by default:

  • Contacts start in your private vault
  • You explicitly choose what to share
  • No automatic data collection
  • No selling or sharing data with third parties

Defense in Depth#

Multiple layers of security:

  • Encryption at rest and in transit
  • Strong authentication
  • Role-based access control
  • Regular security audits

Minimal Data Collection#

We only collect what's necessary:

  • No tracking beyond product features
  • No analytics selling
  • No advertising
  • Transparent data practices

Data Encryption#

Encryption at Rest#

All data stored in our databases is encrypted:

  • Database encryption: AES-256 encryption
  • PII fields: Additional encryption using Google Cloud KMS
  • Backup encryption: Encrypted backups with separate keys

Encryption in Transit#

All data moving through our systems is protected:

  • HTTPS everywhere: TLS 1.3
  • No plain HTTP: Enforced HTTPS
  • Certificate pinning: On mobile apps

Key Management#

Encryption keys are:

  • Stored in Google Cloud KMS
  • Rotated regularly
  • Never stored with data
  • Access logged and audited

Authentication#

Passwordless Login#

We use magic link authentication:

  • No passwords to steal or forget
  • Each link valid for 15 minutes
  • Single use
  • IP and device logged

Session Security#

Sessions are secured by:

  • HttpOnly cookies: Cannot be accessed by JavaScript
  • Secure flag: Only transmitted over HTTPS
  • SameSite: Protection against CSRF attacks
  • 30-day expiry: Automatic session timeout

Two-Factor Authentication#

Add an extra layer with 2FA:

  • Authenticator app (TOTP)
  • Protects against stolen devices
  • Optional or required (admin setting)

Set up 2FA →

Access Control#

Role-Based Permissions#

Four distinct roles with different access:

| Role | Access Level | |------|--------------| | Owner | Full control | | Admin | Management access | | Member | Standard access | | Viewer | Read-only |

Learn about roles →

Tenant Isolation#

Company workspaces are completely isolated:

  • Separate data storage
  • No cross-company access
  • Subdomain-based routing
  • Strict access controls

Session Validation#

Every request is validated:

  • Session token verification
  • Company membership check
  • Role permission check
  • Rate limiting

Data Privacy#

Your Data, Your Control#

Private contacts:

  • Owned by you, not your employer
  • Visible only to you
  • Portable when you leave
  • Exportable anytime

Shared contacts:

  • You choose what to share
  • Clear attribution
  • Can be unshared (by admins)

Data Retention#

Active data: Retained while your account is active.

Deleted data:

  • Contacts: Recoverable for 30 days, then permanently deleted
  • Accounts: Deleted after 30-day grace period
  • Audit logs: Retained per your plan (90 days to 7 years)

Data Export#

Export your data anytime:

  • Full export of private contacts
  • Company export (admins)
  • Standard CSV format
  • No lock-in

How to export →

Data Deletion#

Request data deletion:

  • Delete contacts anytime
  • Delete account with full data removal
  • Company deletion removes all company data

Infrastructure Security#

Hosting#

Nanabase runs on secure cloud infrastructure:

  • Vercel: Application hosting (SOC 2 compliant)
  • Google Cloud: Firebase and Cloud services (SOC 2, ISO 27001)
  • Geographic: US and EU regions available

Network Security#

  • Firewall protection: WAF and DDoS protection
  • Rate limiting: Protection against abuse
  • IP monitoring: Suspicious activity detection

Application Security#

  • Input validation: All inputs sanitized
  • SQL injection: Protected by design (Firestore)
  • XSS protection: Content Security Policy
  • CSRF protection: Token validation

Compliance#

GDPR#

We're GDPR compliant:

  • Data minimization
  • Right to access
  • Right to deletion
  • Data portability
  • Processing records

SOC 2#

Our infrastructure providers are SOC 2 certified:

  • Google Cloud Platform
  • Vercel
  • Firebase

Data Processing#

We process data fairly and transparently:

  • Clear privacy policy
  • No hidden data uses
  • Data processing agreements available

Read our Privacy Policy →

Security Practices#

Development Security#

Our development process includes:

  • Code reviews
  • Automated security scanning
  • Dependency vulnerability checks
  • Security-focused architecture reviews

Monitoring#

We continuously monitor for:

  • Unauthorized access attempts
  • Suspicious activity patterns
  • System anomalies
  • Performance issues

Incident Response#

If a security incident occurs:

  1. Immediate investigation
  2. Containment
  3. User notification (if required)
  4. Root cause analysis
  5. Preventive measures

Best Practices for Users#

Account Security#

  • Enable two-factor authentication
  • Use unique email for Nanabase
  • Review active sessions periodically
  • Log out from shared devices

Company Security (Admins)#

  • Regular member audits
  • Remove inactive accounts
  • Use principle of least privilege
  • Monitor audit logs

Data Handling#

  • Don't share sensitive info in notes
  • Be mindful of what you export
  • Report suspicious activity
  • Keep your contact info current

Reporting Security Issues#

Responsible Disclosure#

If you discover a security vulnerability:

  1. Email security@nanabase.co
  2. Include details and reproduction steps
  3. Don't disclose publicly
  4. We'll respond within 48 hours

Bug Bounty#

We appreciate security researchers. Contact us about our bug bounty program for details on scope and rewards.

Frequently Asked Questions#

Is my data encrypted? Yes. All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Sensitive PII fields have additional encryption via Google Cloud KMS.

Can Nanabase employees see my contacts? Access is strictly limited and logged. Only authorized personnel can access data for support purposes, with full audit trail.

What happens if Nanabase is acquired? Your data rights are protected. Any acquirer must honor our privacy commitments or you'll be notified with options.

Where is my data stored? Data is stored in Google Cloud, primarily in US regions. EU customers can request EU-only storage.

How do I report a security concern? Email security@nanabase.co with details. We take all reports seriously.

Is Nanabase HIPAA compliant? Not currently. If you need HIPAA compliance, contact us about enterprise options.

Privacy Policy

Full privacy policy

Terms of Service

Terms and conditions

Account Security

Secure your account

Roles & Permissions

Access control