noise layer
logo nomic

Security

Security is fundamental to everything we build at Nomic. This page outlines our approach to protecting your data, maintaining privacy, and ensuring secure AI interactions.

Last updated: August 5, 2025

For security-related questions or to report vulnerabilities: security@nomic.ai

Certifications and Third-Party Assessments

Nomic is committed to maintaining the highest security standards and undergoes regular third-party assessments to validate our security posture.

SOC 2 Type II Certified: Nomic is SOC 2 Type II certified. Visit our Security Center to request a copy of our compliance report and other security documentation.

Penetration Testing: We commit to conducting at least annual penetration testing by reputable third parties. External penetration test reports and other security assessments are available through our Security Center.

Vendor Reviews: All security documentation, compliance reports, and vendor assessment materials can be accessed at security.nomic.ai. You will be asked to sign an NDA before being granted access.

Infrastructure Security

Our infrastructure is built with security-first principles, utilizing industry-leading cloud providers and following best practices for data protection.

Cloud Infrastructure

  • • Primary hosting on AWS with high availability
  • • Data centers in US, Europe, and Asia
  • • Encrypted data in transit and at rest
  • • Regular security patches and updates

Access Controls

  • • Multi-factor authentication required
  • • Least-privilege access principles
  • • Regular access reviews and rotations
  • • Comprehensive audit logging

Subprocessors

We depend on the following subprocessors to deliver our services. Data handling varies by service - see our full trust center for complete details.

AWSSees and stores your files
We use AWS for our primary cloud hosting platform. All instances of Nomic are managed on AWS.
AnthropicSees your files
We use Anthropic for AI responses. We have a zero data retention agreement with Anthropic.
Google Cloud Vertex APISees your files
We rely on some Gemini models offered over Google Cloud’s Vertex API to give AI responses. We have a zero data retention agreement with Vertex.
Modal LabsSees your files
We use Modal for serverless infrastructure and compute to infer our custom models.
SentrySees no files
We use Sentry to monitor errors and performance in our app. File data is never explicitly sent, but may show up in reported errors. Data from BYOC deployments never reaches Sentry.
Google AnalyticsSees no files
Provides analytics for web presence
StripeSees no files
We use Stripe for billing.
WorkOSSees no files
We use WorkOS for enterprise authentication and single sign-on (SSO).
MixpanelSees no files
We use Mixpanel for product analytics and user behavior tracking.
LoopsSees no files
We use Loops for email communications and notifications.

Geographic note: None of our infrastructure is located in China, and we do not directly use any Chinese companies as subprocessors.

AI Requests

When you use Nomic’s AI features, we take great care to protect your data throughout the AI processing pipeline.

Data Processing

  • • All AI requests are processed through our secure infrastructure
  • • Data is encrypted in transit to AI model providers
  • • We maintain zero data retention agreements with AI providers
  • • Context data is minimized to what’s necessary for processing

AI requests may include context from your files, conversation history, and relevant file snippets. This data is sent to our infrastructure and then to appropriate AI model providers (OpenAI, Anthropic, etc.) under strict data protection agreements.

Data and File Indexing

All files stored with Nomic are indexed using Nomic Platform infrastructure. When your data isn’t being processed, it is stored only in your Nomic instance and is encrypted at rest.

Indexing works by sending files or folders of files to the Nomic Platform embedding and parsing APIs which use our custom models for visual document processing and understanding.

Deployment Options and Data

Nomic offers flexible deployment options to meet different security and compliance requirements. Each option provides different levels of data control and processing locations.

Nomic-Managed (Cloud)

Our standard cloud offering where Nomic manages all infrastructure and operations.

  • • All data is stored in Nomic managed AWS infrastructure
  • • Data is processed through the Nomic Platform
  • • Processing involves our sub-processors as listed above
  • • Fastest deployment with minimal setup required

Bring-Your-Own-Cloud (BYOC)

Deploy Nomic within your own cloud environment while leveraging our platform services.

  • • All data is stored in your cloud environment
  • • Data is processed by Nomic Platform AWS infrastructure
  • • Processing involves our sub-processors for AI operations
  • • Enhanced data residency control

On-Premise (Custom)

Fully isolated deployment within your own infrastructure with custom agreements.

  • • Complete data isolation within your environment
  • • Custom processing and sub-processor agreements
  • • Tailored security and compliance controls
  • • Contact our team for custom deployment options

Need a Custom Deployment?

For enterprise customers requiring specific compliance, data residency, or security controls, we offer custom deployment options. Contact our team at sales@nomic.ai to discuss your requirements.

Account Deletion

You have full control over your data and can delete your account and associated data at any time.

Data Deletion Process

  • • Account deletion can be initiated from your settings dashboard
  • • All personal data, stored and indexed files are immediately deleted
  • • Complete data removal guaranteed within 30 days
  • • Backups are automatically purged within retention period

Note: If your data was used in model training (opt-in), existing trained models will not be immediately retrained, but future model training will not include your deleted data.

Vulnerability Disclosures

We take security vulnerabilities seriously and encourage responsible disclosure from the security community.

Report a Vulnerability

If you discover a security vulnerability, please report it to: security@nomic.ai

Response Timeline

  • • Acknowledgment within 5 business days
  • • Initial assessment within 10 business days
  • • Regular updates throughout investigation
  • • Public disclosure after fix deployment

Responsible Disclosure Guidelines

  • • Provide detailed vulnerability information
  • • Allow reasonable time for fix development
  • • Avoid accessing or modifying user data
  • • Do not perform testing that degrades service
Platform
AtlasGPT4All
Solutions
Innovation
About
CustomersSecurityCareersResearch
Resources
Privacy PolicyTerms of Service
twitter logogithub logodiscord logolinkedin logo
nomic logo
nomic logonomic logo nomic logo nomic logonomic logonomic logo nomic logo nomic logo