How we protect your data
You share personal things with Nora. We take that seriously. Nora is currently in beta, which means the product is actively evolving, but security and privacy are not things we plan to add later. They are built into how we work today.
Encryption in transit
All communication between your device and our servers is encrypted over TLS. On iMessage, your messages are additionally protected by Apple's end-to-end encryption before they reach us. On Telegram, messages are encrypted in transit between your device, Telegram's servers, and our servers.
Data storage
Account data and personal context are stored in a database hosted in the EU, which provides encryption at rest. Conversation history is processed on our server within the EEA. Connected account credentials (Google, Microsoft, iCloud, etc.) are additionally encrypted at the application level. They are never stored in plain text and are only used to perform actions you explicitly request.
Action safety
When Nora takes actions on your behalf, like sending an email or modifying your calendar, those actions require cryptographic authorization tokens and are subject to rate limits. You can configure Nora to ask for your confirmation before sending emails or making calendar changes. We never sell your data or share it with advertisers.
AI providers
Your messages are processed by third-party AI providers to generate responses. We use providers whose API terms do not permit training on customer data. Your data is sent solely to generate responses for you, not for advertising, profiling, or model training. For a full list of providers, see our privacy policy.
Who can access your data
We are a small team. Access to production systems is limited to the operator. No one reads your conversations unless you report a specific issue and ask for help. For a full list of who processes your data, see our privacy policy.
What we are working on
Nora is in beta and we are actively improving our security posture. Google OAuth verification for connected Google accounts is currently in progress. We do not yet hold formal security certifications (such as SOC 2), but we follow industry best practices and are working toward independent verification as the product matures.
Found a vulnerability?
We have a responsible disclosure policy. Please report security issues privately before going public. See our Responsible Disclosure page, or email security@nora.fyi.