Enterprise-Grade Security
Your data and your clients' data deserve the highest level of protection. We build security into every layer of Notase, from infrastructure to application to process.
How We Protect You
Security at Every Layer
End-to-End Encryption
All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. Your information is protected at every stage.
Workspace Isolation
Multi-tenant architecture with strict row-level security ensures your data is completely isolated from other workspaces. No cross-contamination possible.
Privacy by Design
We collect only the data necessary to provide the Service. We never sell your data, never use it for advertising, and never share it with third parties for their purposes.
Role-Based Access Control
Granular permission settings let workspace admins control who can view, edit, create, or delete data. Follow the principle of least privilege across your team.
Secure Infrastructure
Hosted on enterprise-grade cloud infrastructure with 99.9% uptime SLA, automated scaling, DDoS protection, and geographic redundancy.
Regular Security Audits
We conduct regular internal security reviews and third-party penetration testing to identify and remediate vulnerabilities proactively.
Secure Authentication
Industry-standard authentication with bcrypt password hashing, secure session management, CSRF protection, and support for multi-factor authentication.
Global Compliance
Built to comply with GDPR, CCPA/CPRA, and other privacy regulations. Data processing agreements available for enterprise customers upon request.
PCI DSS via Stripe
All payment data is handled by Stripe, which is PCI DSS Level 1 certified, the highest level of payment card security. We never store credit card numbers.
Technical Security Practices
Detailed breakdown of how we secure the Notase platform
Authentication & Session Management
Secure authentication via NextAuth with bcrypt password hashing (cost factor 12), JWT tokens with short expiration, automatic session rotation, and idle timeout. All sessions are invalidated on password change.
CSRF & XSS Protection
Cross-site request forgery tokens on all state-changing requests. Content Security Policy (CSP) headers, output encoding, and input sanitization using Zod schemas to prevent cross-site scripting.
HTTP Security Headers
Industry-standard security headers including Strict-Transport-Security (HSTS), X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Referrer-Policy, and Permissions-Policy.
Input Validation & Sanitization
All user input is validated server-side using Zod schemas with strict type checking. Parameterized queries via Prisma ORM prevent SQL injection. File uploads are scanned and restricted by type and size.
Database Security
PostgreSQL with connection pooling, parameterized queries only (no raw SQL), automatic workspace scoping via middleware, encrypted connections, and regular automated backups with point-in-time recovery.
API Security & Rate Limiting
All API routes require authentication. Rate limiting on sensitive endpoints (login, registration, password reset). Request validation on all endpoints. Audit logging for critical operations.
Dependency Management
Automated dependency scanning for known vulnerabilities. Lock files for deterministic builds. Regular updates of all packages and runtime environments.
Monitoring & Incident Response
Real-time error monitoring and alerting. Structured logging for all critical operations. Documented incident response procedures with defined escalation paths and communication templates.
Compliance & Certifications
We take regulatory compliance seriously across all jurisdictions
GDPR Compliant
Full compliance with the EU General Data Protection Regulation. Data subject rights (access, rectification, erasure, portability) fully supported. Data Processing Agreements available.
CCPA / CPRA Compliant
Full compliance with the California Consumer Privacy Act and California Privacy Rights Act. We do not sell personal information. All consumer rights are supported.
PCI DSS (via Stripe)
All payment data is handled exclusively by Stripe, which maintains PCI DSS Level 1 certification, the highest level of compliance. We never process, store, or transmit cardholder data.
SOC 2 Type II (In Progress)
We are actively pursuing SOC 2 Type II certification for security, availability, processing integrity, confidentiality, and privacy trust service criteria.
Fair Housing Compliance
Built-in fair housing language checker scans all generated content against HUD guidelines to help prevent discriminatory language in real estate marketing materials.
Data Residency
Primary data storage and processing in the United States. For enterprise customers, we can discuss data residency requirements and provide documentation on data flows.
Our Data Privacy Commitment
What we promise about your data
We never sell your data
Your listings, client information, and personal data are never sold, rented, or shared with advertisers or data brokers. Period.
We never use your data to train AI
Your property data and content are processed on-demand. We do not use your data to train, improve, or fine-tune any AI models.
You own your content
Everything you create in Notase (inputs, generated content, exports) belongs to you. You retain full ownership and control at all times.
You can delete everything
Request complete deletion of your data at any time. We will permanently remove all your information within 30 days of a verified request.
Responsible Disclosure
If you believe you've found a security vulnerability in Notase, we encourage you to report it responsibly. Please email support@notase.com with details. We take all reports seriously and will respond within 48 hours.
Please do not publicly disclose the vulnerability until we have had the opportunity to address it. We appreciate your help in keeping Notase and our users safe.
Questions About Security?
Our security team is happy to answer questions, discuss our practices, or provide documentation for your compliance needs.