Nestosai logo Nestosai

Built for trust

Security overview

A short, plain-English summary of how we protect Nestosai.

Conversational isolation

One member's private conversations are never exposed to another member's AI session. We enforce this at the data-access layer: queries that build context for the AI are scoped to the requesting member, and family-level themes are de-identified before they leave the extraction step. This is more than a prompt rule — it is a structural boundary.

Encryption

  • In transit: all traffic uses TLS 1.2 or higher with modern ciphers.
  • At rest: databases, file storage, and backups are encrypted with provider-managed keys (AES-256).
  • Secrets: API keys and credentials are stored in a managed secrets vault, rotated regularly, and never embedded in the client.

Authentication & sessions

  • Passwords are hashed with a modern key-derivation function and never stored in plaintext.
  • JSON Web Tokens are short-lived and rotated using refresh tokens.
  • Suspicious sign-in attempts trigger rate-limiting and additional checks.
  • You can sign out of all devices from the app at any time.

AI provider posture

We use commercial AI providers (currently OpenAI) under enterprise agreements that prohibit using your content to train their general models. We send the minimum context required for a quality answer, and we do not transmit raw cross-member data.

Infrastructure

  • Hosted on reputable cloud infrastructure with regional redundancy.
  • Network-level isolation between application, database, and storage tiers.
  • Automated patching for OS, runtime, and dependency security advisories.
  • Continuous monitoring with alerting on anomalous behavior.

Operational controls

  • Production access is limited to a small, named set of operators.
  • Multi-factor authentication is required for all administrative access.
  • Privileged actions are audit-logged.
  • Vendor risk reviews for any new sub-processor.

Application safety

  • Prompt-injection mitigations and output filtering on AI responses.
  • Crisis-detection prompts that surface emergency resources.
  • Reporting controls so you can flag content directly from the app.

Backups & resilience

  • Encrypted, point-in-time backups on a rolling schedule.
  • Disaster-recovery procedures tested periodically.

Reporting a security issue

If you believe you've found a security vulnerability, please report it to security@nestosai.com. We aim to acknowledge reports within two business days. Please give us a reasonable opportunity to investigate and remediate before any public disclosure.

A note of honesty. No system is perfectly secure. We combine sensible defaults, careful design, and continuous review — and we tell you clearly when something changes that affects your data.