How we protect your financial data

Every Organization-scoped query runs through resolveOrgForSession / resolveOrgScope. Cross-tenant bypasses (including founder-admin escapes) are automatically blocked by the noesis-review audit script on every commit.

AGENTS.md, lib/security/org-scope.ts

All user traffic is TLS 1.2+ (HSTS preload in production). Primary datastore is Neon managed Postgres with storage-level AES-256 encryption. Secrets are stored in Vercel encrypted environment variables, never in the repo.

next.config.ts security headers, Neon platform

Customer financial data is only kept while actively in use. Any signed-in user can purge all workspace content immediately from Settings > Profile. The purge runs in a single atomic transaction with password step-up, typed email confirmation, and a confirmation email to the account on file. Operational backups are purged within 30 days.

/api/user/purge-data, /legal/data-handling

NOESIS never touches raw card data. Checkout runs inside Stripe Checkout or Stripe Elements (iframes). We store only the Stripe customer/subscription IDs and webhook event log, which keeps us inside the PCI DSS SAQ A scope.

server/billing/*, Stripe Checkout

Primary inference is Anthropic Claude on the API (zero-training and 30-day retention by default). When Anthropic is unavailable we fail over to the Vercel AI Gateway, which also forwards to non-training providers. We do not use any consumer ChatGPT or public LLM surface.

lib/ai/anthropic-client.ts

All state-changing routes require same-origin POSTs with JSON bodies. Destructive endpoints (purge, admin writes) have their own Upstash-backed rate limits. Every response carries a strict Content-Security-Policy, X-Frame-Options: DENY, Permissions-Policy, and Referrer-Policy header.

lib/security, next.config.ts

Security-relevant events (login, password change, purge attempts, live-agent escalations, step-up failures) are written to a SecurityEvent table with IP, user-agent, and event metadata. Audit rows are retained even when customer data is purged.

prisma schema: SecurityEvent

A GDPR-/CCPA-compatible Data Processing Addendum is self-serve at /legal/dpa. One checkbox plus four fields counter-signs the active version, records an immutable signature row with the full sub-processor list and SCCs Module 2, and emails the signer a receipt. Required before first upload or integration connection.

/legal/dpa

Standalone AI Use Policy at /legal/ai-use discloses the Anthropic Claude 4.7 model family (zero-retention, no training on customer data), what data reaches the model, enforced server-side guardrails (no figure invention, no legal/tax/fiduciary advice, injection defense, authority-cited tax commentary only), AI output labeling, and a per-workspace opt-out. Clickwrap-acknowledged at sign-up and on updates via the reacceptance gate.

/legal/ai-use

SOC 2 Type II is on the public roadmap. Controls inventory and evidence collection are underway; we are not yet audit-ready. We are happy to share our controls narrative and gap assessment under NDA.

Roadmap - contact support@noesiscfo-io.us