How we handle your data.

Every contact field is encrypted at rest with AES-256-GCM. Each tenant has its own encryption key. A workspace’s data cannot be decrypted using another workspace’s key — not by us, not by an attacker who manages to read the database.

The keys are managed in a key-management service, not stored next to the data. If you cancel, your tenant key can be retired and the remaining ciphertext becomes unreadable.

Multi-tenant row-level isolation is enforced in the database, not in application code. Every query is scoped to your tenant ID at the Postgres layer. Cross-tenant reads are not a feature flag — they’re a database-level impossibility.

Every mutation is logged with the actor, the affected record, the previous and new values, and the timestamp. Workspace admins can export the full audit trail at any time. Logs are append-only.

Platform admins authenticate with WebAuthn / passkeys — no shared passwords, no SMS-based 2FA. Workspace users sign in with email plus passkey or password; password accounts use Argon2id with per-user salts.

Nexus, our AI assistant, has 60+ tools bound to your workspace schema. It cannot see other tenants. It cannot make outbound calls to external services on your behalf without an explicit, scoped integration. Prompts and outputs are processed via our model provider; payload content is not used to train third-party models.

GDPR-compliant. We have a Data Processing Addendum your legal contact can pull right now — read the DPA.

Right-to-be-forgotten requests are handled in-product: an admin can delete a contact and the audit log records the deletion. Data subject access requests are handled via [email protected].

See also: our Privacy Policy, Terms of Service, and list of subprocessors.