For security-related questions or to report vulnerabilities: security@nomic.ai
Nomic Security Posture
Nomic is the AI platform purpose-built for AEC firms — accelerating how you work with your project knowledge without moving your data, weakening your permissions, or training someone else's model on your projects.
- Your data stays in the systems where it already lives — SharePoint, Egnyte, Autodesk Construction Cloud, Bentley. We index it for Nomic agents to use; your files are never permanently copied to Nomic infrastructure unless directly uploaded. We inherit your existing permissions.
- We're SOC 2 Type II certified, pen-tested annually, and broadly compliant with major regional data protection and privacy regulations. Our US State DPA covers customers in the United States; our Global DPA is available on request.
- When AI is used, your content is processed under zero-data-retention agreements with Anthropic and Google Cloud Vertex — they keep nothing.
- We retain only what's necessary to run the service (cached documents, your conversations, usage logs) and delete everything within 30 days of termination.
- Nomic is primarily delivered as a managed platform on AWS infrastructure that is isolated per-tenant. Alternative deployment options are available — contact sales to discuss.
Resources: SOC 2 report & pen test (NDA) · DPA · Privacy Policy · Terms of Service
Nomic Data Flows
01Authentication
Users sign in directly or through your identity provider (SAML/OIDC via WorkOS). MFA is enforced by your IdP configuration when SSO is used.
02Permission check
Nomic enforces the access controls already configured in your source systems. If a user can't see a file in SharePoint, they can't see it in Nomic.
03Retrieval
Relevant context is pulled from the indexed corpus the user is authorized to see.
04Inference
Context and prompt are sent over TLS 1.2+ to Anthropic or Google Cloud Vertex. Both operate under executed zero-data-retention agreements; content is discarded after the response is generated.
05Response
The answer is returned to the user with citations to source documents. The interaction is logged in the audit log available to your admins.
AI inference is the only point where customer content leaves Nomic infrastructure, and it is governed by ZDR end-to-end at that boundary.
Data Retention
There are two retention layers, and they work differently. We've found it helps to call them out separately.
What Nomic retains (as your data processor)
- User-generated content — conversations, reports, annotations, and indexes retained for the duration of the subscription unless you delete them
- Usage metadata — session logs, query timestamps, and user activity retained for audit and platform operations
What our AI inference subprocessors retain
Nothing. Anthropic and Google Cloud Vertex AI operate under executed zero-data-retention agreements. Documents are processed ephemerally for inference and discarded. Your data is never used to train their models.
On termination: All customer data is deleted within 30 days using secure erasure methods. Certification of deletion available on request.
See also: Data Processing Agreement, Terms of Service
Permissions & Access
Nomic does not maintain a separate permission system. We enforce the access controls already configured in your source systems — SharePoint, Egnyte, Autodesk Construction Cloud, Bentley, Procore. If a user cannot see a folder in the source system, they cannot see it in Nomic. We do not override, expand, or alter customer-defined access rights.
Authentication options
- Direct login — Users can sign in to Nomic directly with email and password
- Single sign-on (SSO) — Available via WorkOS, supporting SAML/OIDC with Azure AD, Okta, and other enterprise identity providers
Access controls
- Multi-factor authentication (enforced via your IdP when SSO is used)
- Least-privilege access principles across the platform
- Role-based access (admin / member) with complete audit logging available to organization administrators
- Encrypted data in transit (TLS 1.2+) and at rest (AES-256)
Data & File Indexing
Files stored with Nomic are indexed using Nomic Platform infrastructure. When your data isn't being processed, it is stored only in your Nomic instance and is encrypted at rest.
Indexing works by sending files or folders of files to the Nomic Platform embedding and parsing endpoints, where they are processed to generate searchable embeddings. Files are encrypted during transit and are only temporarily accessed for processing.
Deployment Options and Data
Nomic offers flexible deployment options to meet different security and compliance requirements. Each option provides different levels of data control and processing locations.
Nomic-Managed (Cloud)
Our standard cloud offering where Nomic manages all infrastructure and operations.
- All data is stored in Nomic managed AWS infrastructure
- Data is processed through the Nomic Platform
- Processing involves our sub-processors as listed above
- Fastest deployment with minimal setup required
Bring-Your-Own-Cloud (BYOC)
Deploy Nomic within your own cloud environment while leveraging our platform services.
- All data is stored in your cloud environment
- Data is processed by Nomic Platform AWS infrastructure
- Processing involves our sub-processors for AI operations
- Enhanced data residency control
Need a Custom Deployment?
For enterprise customers requiring specific compliance, data residency, or security controls, we offer custom deployment options. Contact our team at sales@nomic.ai to discuss your requirements.
Subprocessors
We rely on the following subprocessors to deliver our services. File-access markers indicate whether each subprocessor can access customer file content.
AWS
Primary cloud hosting.
Anthropic
AI inference (under executed ZDR).
Google Cloud Vertex API
AI inference for Gemini models (under ZDR).
Modal Labs
Ephemeral compute for proprietary models.
WorkOS
Enterprise authentication and SSO.
Sentry / Datadog
Error and performance monitoring.
Stripe
Billing.
Mixpanel / Google Analytics
Product and web analytics.
Loops
Email communications.
Hosting: US and global hosting options available. No infrastructure in China, and no Chinese companies used as direct subprocessors.
Subprocessor changes: Material changes to our subprocessor list are communicated with at least 15 days' advance notice. Customers may object on documented data protection grounds.
See also: Data Processing Agreement
Certifications & Evidence
Independent attestation and continuous third-party validation.
- SOC 2 Type II — Annual independent audit covering security, availability, and confidentiality controls
- Penetration testing — At least annual third-party application penetration testing, with findings tracked through remediation
- Data Processing Agreement — Executed DPA covering GDPR-aligned data processing obligations
- Zero Data Retention — Executed ZDR agreements with all AI inference subprocessors
- Encryption — AES-256 at rest, TLS 1.2+ in transit
Our DPA covers obligations under EU GDPR, UK GDPR, CCPA and other US state privacy laws, Brazil's LGPD, Australia's Privacy Act, and New Zealand's Privacy Act.
Behind the trust center (NDA required)
- SOC 2 Type II report
- Penetration test report
- Anthropic Zero Data Retention Certificate
Request access at security.nomic.ai.
Data Deletion & Portability
You retain full control over your data throughout the relationship.
During the term, organization administrators can export user-generated content, usage logs, and audit data from the platform admin panel as CSV or JSON.
At termination, at your election, we will either return your data in a commercially reasonable format or delete all customer data within 30 days using secure erasure methods. Written certification of deletion is available on request.
Data subject requests (GDPR access, correction, deletion) are processed within one month of receipt in line with applicable law.
See also: Privacy Policy, Data Processing Agreement, Terms of Service
Vulnerability Disclosures & Incident Response
For security researchers
If you discover a security vulnerability, please report it to security@nomic.ai.
- Acknowledgment within 5 business days
- Regular updates throughout investigation
- Public disclosure coordinated after fix deployment
Responsible disclosure guidelines: Provide detailed vulnerability information, allow reasonable time for fix development, avoid accessing or modifying user data, and do not perform testing that degrades service.
For customers
In the event of a security incident affecting customer data, Nomic notifies affected customers without undue delay in accordance with our Data Processing Agreement. Our security team coordinates with your designated point of contact through resolution.
Legal Documents
The right document depends on your relationship with Nomic.
- Privacy Policy — How we handle data from website visitors, demo requests, and newsletter sign-ups
- Data Protection Agreement — Governs how Nomic processes your data when you use the platform as a customer (US State DPA is the default; Global DPA available on request)
- Terms of Service — Our subscription terms and service obligations