Notomir is engineered for the stringent requirements of government agencies and enterprise real estate operations. Every layer of the stack is built with security as a first principle, not an afterthought.
All documents and extracted data are encrypted using AES-256-bit encryption before being written to disk. Encryption keys are managed through a hardware security module (HSM) with automatic rotation.
All data transmitted between your browser, our servers, and downstream processors uses TLS 1.3. Older protocol versions are explicitly disabled. HTTP traffic is automatically redirected to HTTPS.
Infrastructure runs on AWS us-east-1 through our Supabase partnership. Your data never leaves secured sovereign cloud environments. Physical data center security is managed under AWS's ISO 27001 and SOC 2 certifications.
Production systems operate inside private virtual networks with no direct public exposure. Database and processing layers are fully isolated from internet-facing services. All access requires explicit firewall approval.
Built from day one to satisfy the compliance requirements of insurance carriers, accounting firms, and enterprise agencies.
SOC 2 Type II in Progress
Audit engagement underway
Notomir can operate as a HIPAA Business Associate for healthcare-adjacent housing operations. BAAs are available on request for qualifying accounts.
Privacy-by-design architecture supports GDPR obligations including data subject rights, consent management, and breach notification processes.
Formal SOC 2 Type II audit is in progress covering Security, Availability, and Confidentiality trust service criteria. Report available to enterprise customers under NDA.
DPAs are available for customers subject to GDPR, CCPA, or other data protection regulations. Contact us to execute a DPA for your account.
Enterprise plans support SAML 2.0 single sign-on integration with Okta, Azure AD, Google Workspace, and any standard identity provider.
Granular RBAC lets administrators assign roles at the user, team, and document-type level. Principle of least privilege is enforced throughout the system.
Every extraction, review decision, and file action is logged with a timestamp and user identity. Logs are immutable and exportable for compliance review.
Active account data is retained for the lifetime of your subscription. Uploaded documents are stored for 90 days by default and can be purged earlier on request from the dashboard.
Extracted records and audit logs are retained for 7 years to satisfy standard accounting and regulatory retention requirements. This period can be adjusted for enterprise accounts under a custom agreement.
Upon account deletion, all document files are deleted within 30 days. Audit logs are retained for the legally required period before permanent deletion.
Configurable retention policies are available on Business and Enterprise plans, allowing you to set shorter retention windows that comply with your local statutory requirements.
We take all security reports seriously. If you discover a potential vulnerability in the Notomir platform, please report it to us directly. Do not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate.
We aim to acknowledge reports within 48 hours and provide a resolution timeline within 5 business days.