Security

Approval-gated by design

Nous never posts on your behalf without an explicit click. Every outbound action, including Reddit replies and scheduled social posts, is drafted for your review and routed through an approval step. There is no autonomous posting mode.

Your source code stays yours

Nous reads public repositories only to build a working description of your product. We do not store your source code. The context we build is held in ephemeral memory for the duration of generation and is not retained as a copy of your repository.

• Read-only access to the repositories you connect.
• No persistent copy of your source is written to disk.
• You can disconnect a repository at any time, in one click.

Data handling and retention

We store the artifacts you generate (landing pages, drafts, schedules) and the account data needed to run your subscription. We retain this only as long as your account is active or as required to provide the service. When you delete your account, we delete the associated data within 30 days, except where we are legally required to keep it.

Encryption

Data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256 or the equivalent provided by our infrastructure providers. Access tokens for connected accounts are stored encrypted and are never exposed to other tenants.

Infrastructure and access controls

Nous runs on managed cloud infrastructure with provider-level isolation between tenants. Access to production systems is limited to the engineers who need it, protected by single sign-on and multi-factor authentication, and logged. We follow least-privilege defaults for internal access.

Connected accounts and tokens

When you connect a platform (such as GitHub or a social account), we request the narrowest scopes needed to do the work you asked for. You can revoke access from within Nous or from the provider at any time, and revocation takes effect immediately.

Compliance

Nous is an early-stage product. We are not yet SOC 2 certified, and we will not claim certifications we do not hold. Formal audits are on our roadmap, and we will publish them here when they are complete. In the meantime, the practices described on this page reflect how we operate today.

Responsible disclosure

If you believe you have found a security vulnerability, please email vihaan@usenous.app with the details and steps to reproduce. We will acknowledge your report, investigate promptly, and keep you updated. Please give us a reasonable window to remediate before any public disclosure. We will not pursue legal action against good-faith research that respects user privacy and avoids service disruption.