Security

Last updated: April 30, 2026

Security is the foundation of Nino. Public adjusters trust us with sensitive claim files, carrier correspondence, and personal information about insureds — we treat that responsibility as non-negotiable. This page summarizes how we protect your data.

Infrastructure

• Hosting: Nino runs on Vercel (application layer) and Supabase (database, authentication, file storage), both backed by major U.S. cloud providers. All infrastructure operates in U.S. data centers.
• Network isolation: Production database is not exposed to the public internet. All traffic flows through authenticated, TLS-protected endpoints.
• No shared multi-tenant database leaks: every workspace is isolated at the database level (see Access controls below).

Encryption

• In transit: all traffic between your browser and Nino is encrypted with TLS 1.2+ (HTTPS).
• At rest: customer data, file uploads, and database backups are encrypted at rest by our infrastructure providers (AES-256).
• Secrets: API keys, OAuth tokens, and webhook secrets are stored in encrypted environment variables, never in the codebase.

Access controls

• Row-Level Security (RLS): every table that holds customer data uses Postgres Row-Level Security policies scoped to your team. A query from one workspace can never read or write data belonging to another workspace, even if a bug bypassed the application layer.
• Storage isolation: uploaded files (claim documents, photos) are stored in a private bucket with per-team folder policies. Direct URL access is blocked; signed URLs expire on a short window.
• Authentication: email/password with bcrypt-style hashing via Supabase Auth, plus magic-link sign-in. Sessions are managed with secure, HTTP-only cookies and short-lived JWTs.
• API gateway: every server endpoint requires a valid Bearer token. Webhook endpoints (Lemon Squeezy, email integrations) are protected by signature validation or shared secrets.

Payments

Nino does not store payment-card details. All subscription checkout, billing, and tax handling is performed by Lemon Squeezy, our Merchant of Record. Lemon Squeezy is PCI-DSS compliant. See our Privacy Policy for the data flow.

AI providers

When you interact with Nino's AI assistant, the relevant message and contextual data are sent to our language-model providers (Google Gemini, Anthropic Claude, Groq Whisper for audio transcription). Under our enterprise/API agreements with each provider:

• Your data is not used to train any model.
• Data is processed only to generate the AI response and is retained per the provider's standard API terms.

Backups and recovery

• Automated daily backups of the database with 7-day retention.
• Point-in-time recovery is available through our database provider for short-window restoration.
• Soft-delete on critical tables (claims, contacts) — accidentally removed records can be restored within the retention window.

Operational security

• Principle of least privilege: only the necessary team members have production access. Service-role credentials are server-only and never exposed to client code.
• Audit trails: application-level activity logs capture record-modifying actions inside each workspace.
• Dependency management: upstream package vulnerabilities are tracked via automated alerts and patched on a regular cadence.
• No third-party advertising or tracking pixels on the application or marketing site.

Vulnerability disclosure

If you discover a security issue, please report it responsibly. We take every report seriously and will acknowledge within two business days.

Email: nino@malbec.team Subject line: Security report — <short description>

Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate.

Compliance posture

Nino is operated by Malbec, headquartered in Colombia, serving customers in the United States.

• GDPR / equivalent privacy laws: see our Privacy Policy for legal basis, data-subject rights, and international-transfer safeguards.
• Data deletion: customer data is deleted within 30 days of account closure, with backups purged within an additional 30 days.

We are not currently SOC 2 audited; an audit is planned as customer demand justifies it. If your firm requires a vendor questionnaire, contact us at the email below.

Contact

Email: nino@malbec.team Web: https://ninocrm.com