The honest version of "enterprise security."
A short page, written for a procurement reviewer or a security-conscious founder. What is actually in place today, what is in flight, and what is roadmap. No certification badges Nynch hasn't earned. Use this page when a buyer asks "before we sign, can you point me to your security stance?"
The four pillars.
Each pillar lists what is actually in place today. Nothing here is aspirational. Where a control is partial or in progress, it is called out explicitly in the Status Snapshot below.
Data protection
- Encryption in transit using TLS 1.2 or later
- Encryption at rest using industry-standard symmetric encryption
- Database-level encryption layered on disk-level encryption
- Encrypted backups with keys held separately from encrypted data
- Customer data isolated by workspace at the row level
Access and identity
- Role-based access controls on every team workspace
- Workspace-level data isolation between customers
- Supabase-level row-level security for every table
- Audit logging on sensitive admin actions
- Per-action change tracking for record edits
Privacy and data control
- UK GDPR and EU GDPR compliant posture
- European data residency for primary storage
- Standard Contractual Clauses for any international transfer
- Customer-initiated export in machine-readable format
- Account deletion within 30 days of request
Operational practice
- SOC 2-aligned controls (certification on roadmap)
- Documented incident response procedure
- 72-hour supervisory-authority breach notification
- Quarterly access review of admin privileges
- Subprocessor list maintained and reviewable on request
Status snapshot.
The short version. What is in place today, what is in flight, and what is on the roadmap.
| Control | Status | Notes |
|---|---|---|
| Encryption in transit (TLS 1.2 plus) | In place | All API and web traffic |
| Encryption at rest | In place | Disk-level plus database-level |
| Role-based access controls | In place | Workspace-scoped roles |
| UK GDPR compliance | In place | UK-based controller |
| EU GDPR compliance | In place | European data residency |
| Single sign-on (SAML / SSO) | In place | Available on the Team plan |
| SOC 2 Type II certification | On roadmap | SOC 2-aligned today; formal report later |
| HIPAA compliance | Not in scope | Nynch is not a healthcare CRM |
| Customer data trains shared AI | Never (structural) | Each Learning Ledger is private |
| Subprocessor list | Reviewable on request | Email security@nynch.com |
The privacy promise that holds up under questioning.
Your Superbrain trains on you. It does not train on anyone else.
Every Nynch customer's Learning Ledger is a private record of every AI suggestion the system has made for that customer, every action the customer took, and every outcome that followed. Ledgers are never pooled across accounts.
This is structural. It is not a checkbox in a settings panel that can be toggled. The architecture does not support cross-customer training, by design. When a buyer asks "how do I know my client conversations are not being used to train the model for your other customers?" the answer is that there is no model that can be trained that way. Each customer's Superbrain is calibrated to that customer alone.
Where to send the procurement questionnaire.
If you are a buyer's procurement or security team and you need anything not covered above, the right channel depends on what you need.
Security questions
Procurement questionnaires, subprocessor list requests, security control deep-dives.
Privacy / data subject requests
UK and EU GDPR data subject access requests, deletion requests, processing inquiries.
Incident reporting
Suspected vulnerability or active incident. We respond within one business day.
For full data-handling detail see the Privacy Policy. For terms of service see Terms. For cookie usage see Cookies.
Need a procurement-grade walkthrough?
Book a 30-minute call. We will walk through the security questionnaire your team has, share the subprocessor list, and answer everything in the open. No NDA required for any of the controls listed above.