Trust & security
Security and privacy by design.
Noet connects to the tools you already use. That means we take access seriously: least privilege, encryption in transit, careful logging defaults, and subprocessors we can name. This page summarizes how we think about risk, what certifications are on our roadmap, and how we operate day to day—not a substitute for your own legal review, but an honest map of our posture.
Compliance & attestations
What we pursue—and what we don't claim yet.
We don't display certifications we haven't earned. Early releases prioritize engineering controls and transparent subprocessors; formal attestations follow when customers and contracts require them. Typical milestones for a product like Noet:
- SOC 2 Type II
The most common ask from B2B buyers: independent validation of security controls over time (not a point-in-time checklist). We treat this as a roadmap item once enterprise traction justifies the audit investment.
- ISO 27001
A broader information-security management system, often requested in RFPs alongside or instead of SOC 2. Heavier to maintain; we would align timing with customer demand and team capacity.
- PCI DSS (scope)
Card payments run through Stripe Checkout; we don't store primary account numbers on our servers. That keeps us out of full PCI DSS assessment scope for typical integrations—while we still secure webhooks, secrets, and access to the Stripe account.
- GDPR / UK GDPR
Not a certificate—a legal framework. If we serve individuals in the EU or UK, we maintain appropriate notices, lawful bases, subprocessors, data subject rights, and transfer mechanisms where data leaves those regions. Privacy terms evolve with the product.
Practices
How we protect user data
Expand a topic for plain-language detail. Nothing here is a legal agreement; see our Privacy Policy and Terms for binding language when published.
We design for a local-first desktop footprint: sensitive application data stays on your Mac unless a feature explicitly syncs to our backend. Data in transit uses TLS to services we control and to integrated providers. At rest, cloud services we use apply industry-standard encryption managed by the vendor (for example, encrypted storage in managed databases and object stores).
We avoid shipping secrets in the client bundle, keep tokens in platform-appropriate secure storage where applicable, and treat logs as high-risk: we don't log message bodies or integration payloads by default.
Subprocessors
Vendors that may process data on our behalf
We rely on specialized providers for payments, backend, hosting, observability, analytics, and model inference. Each link goes to their privacy or trust documentation. The list updates as our architecture evolves.
Payment processing, billing portal, and subscription lifecycle events.
Privacy / trust →
Real-time backend, database, and server functions for synced product data.
Privacy / trust →
Hosting and delivery for the marketing site and related web surfaces.
Privacy / trust →
Error monitoring and performance signals to diagnose crashes without raw message content.
Privacy / trust →
Product analytics and event measurement when enabled (no sensitive content by design).
Privacy / trust →
Hosted language models for features that require generation or classification.
Privacy / trust →
Hosted language models for features that require generation or classification.
Privacy / trust →Questions? Dedicated security and privacy aliases may be listed here when they go live—for now, reach the team on the address below.