At NomoCoda, security and data privacy are foundational to how we build a deliver solutions to our customers, partners and all others within our business ecosystem.

How Lens isolates customer data

Lens delivers personalized intelligence to individual users. Each user's data slice is bounded by what they can already see in the systems they connect — the OAuth tokens they granted and the in-system permissions those tokens carry. Lens never sees data the user does not have access to, never serves intelligence generated from another user's data, and never persists data outside the scope of the calling user.

Nine independent layers enforce this principle. Each layer catches what the others might miss.

• Tenant context at authentication. Every request resolves to an authenticated (workspace, user) pair before any data is read.
• Application-level query scoping. Every database read filters by both workspace and user.
• Database row-level security. PostgreSQL policies enforce per-user filtering at the data layer, independently of application code. A query missing a filter returns zero rows rather than the wrong rows.
• Reactive scope reconciliation. When a user's access narrows at the source — a Slack channel they leave, a HubSpot team change, a revoked connection — Lens removes the affected cached data within seconds.
• Permission-aware prompts. The AI engine is told which systems the calling user is permitted to read from, and instructed to never cite anything outside that list.
• Post-model verification. Every citation in every generated piece of intelligence is verified against the permitted-systems set before reaching the user.
• Provenance verification. Every result returned by a third-party provider is checked against the expected user identity before reaching a downstream consumer.
• Immutable audit log. Every verification failure and every internal access event is recorded in an append-only audit table.
• Staff access governance. Internal access to a customer account requires a written reason, expires automatically, and is visible to the customer.

The full technical reference, including the threat model and the industry standards each layer aligns with, is maintained alongside the codebase and reflected here as the architecture changes.

Identity and access

Authentication is handled through Clerk. Workspace owners control roles, license assignment, and invite approvals.

Connections to third-party systems are per-user and decentralized. Each member of a workspace authenticates their own connections under their own credentials, and Lens reads each user's data only through that user's own OAuth tokens. There is no concept of a workspace-level connection that crosses individual user permissions.

Encryption

Customer data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted by our managed database and storage providers using industry-standard cryptography.

Staff access