nab.it holds your tasks, ideas, and notes — so trust is part of the product, not a footnote. This page is the plain-language summary of our security posture and where we are on formal compliance. For how the protections work in detail, see our security & privacy page.
Where we stand on SOC 2
We are not yet SOC 2 certified — SOC 2 Type I is on our roadmap. SOC 2 is an independent attestation, issued by a CPA firm, that a company's security controls are designed (Type I) and operating over time (Type II). The good news for you: the expensive, technical half is already strong here — encryption, per-account isolation, and default-deny database rules are in place. The remaining work is organizational: formalizing written policies, access reviews, incident response, vendor agreements, and evidence collection.
We'll update this page the moment an attestation is issued, and we will never claim a certification we don't hold. If your team needs compliance detail to evaluate nab.it, email info@nab.it.com.
Controls already in place
- Per-account isolation. Every nab is readable only by you; the database denies all direct client writes — changes go through our authenticated server.
- Encryption in transit and at rest. HTTPS/TLS everywhere; data encrypted at rest on Google Cloud. Connected-calendar tokens get an extra layer of app-level AES-256-GCM encryption and are never stored in the clear.
- AI that only suggests. AI proposes; it never moves, completes, or deletes anything on its own. Every AI route is authenticated, rate-limited, spend-capped, and its output is schema-validated. Your content is treated as inert data, never as instructions.
- Offline-first. Capture, organize, and complete with no connection; your data lives on your device too, not only in the cloud.
- Change control & monitoring. All changes flow through version control and CI (static analysis, tests, and database-rule tests on every change); security-relevant events are logged.
See the security & privacy page for the full detail.
Subprocessors
We keep the list of third parties that may process data on our behalf short and transparent. Each is an established provider with its own security program; we review their compliance as part of vendor management.
- Google Cloud / Firebase
- Core infrastructure — hosting, the Firestore database, authentication, and storage. Your data is encrypted at rest here.
- Stripe
- Payment processing and subscription billing when you buy a paid plan. Stripe receives only the billing information needed to charge you.
- Anthropic
- Optional AI features (Clarify, Reflect) when you choose to use them. Only the text you ask about is sent, for that one request — it isn't used to train models.
- Google Vertex AI
- Some AI features may use Google's Vertex AI (Gemini). The same handling applies as with Anthropic — your content is never used to train models.
Reporting a concern
Found a security issue? We welcome responsible disclosure — see our disclosure policy and email info@nab.it.com. We act in good faith with researchers who do the same.
Frequently asked
- Is nab.it SOC 2 certified?
- Not yet. SOC 2 Type I is on our roadmap. Our technical controls — encryption, per-account isolation, default-deny database rules — are already in place; the remaining work is formalizing policies, process, and evidence. We'll update this page when an attestation is issued, and we won't claim a certification we don't hold.
- Can I get a security or compliance report?
- If you're evaluating nab.it for your team and need details, email info@nab.it.com. We're happy to share what we can about our controls and roadmap.
- Who can see my data?
- Only you. Every nab is isolated to your account by database rules, and direct client writes are denied — changes go through our authenticated server. We don't sell your data and never train AI models on your notes.
- Where is my data stored?
- On Google Cloud / Firebase infrastructure, encrypted in transit (HTTPS/TLS) and at rest. nab.it is also offline-first, so a copy lives on your device.
This page describes our posture and plans today; it isn't a warranty, a certification, or a substitute for our Privacy Policy and Terms.