How we protect
what you share with us.

The Nomisma website and admin app run on AWS infrastructure in the United States. Data is encrypted at rest with AWS KMS and in transit with TLS 1.2+. Administrator access requires an Argon2id-hashed password and a TOTP second factor. Every administrative action is recorded in an append-only audit log. We do not use third-party analytics, we do not set tracking cookies, and we do not load any third-party scripts.

• →Application database: AWS RDS for PostgreSQL, encrypted at rest with AWS KMS (AES-256), automated daily backups with 7-day retention.
• →Email delivery: AWS SES (US region).
• →Hosting: AWS Amplify with CloudFront in front. TLS terminated at CloudFront using AWS Certificate Manager.
• →Secrets: session secret, database credentials, and SES keys are stored in AWS Secrets Manager (KMS-encrypted), never committed to source control.

• →Argon2id password hashing with parameters aligned with OWASP recommendations (19 MiB memory, 2 iterations).
• →Mandatory TOTP two-factor authentication (RFC 6238) on first sign-in and every subsequent sign-in. Compatible with Google Authenticator, 1Password, Authy, Microsoft Authenticator.
• →Session tokensare 256-bit random values, stored server-side only as SHA-256 hashes. The token itself only lives in the user’s httpOnly cookie. Sessions expire after 8 hours.
• →Lockout: 5 failed login attempts triggers a 15-minute lockout. Failed attempts are rate-limited separately by IP.
• →Optional IP allowlist restricts admin access to a configured list of source IPs.

• →Strict HTTP security headers on every response (HSTS with preload, X-Content-Type-Options, X-Frame-Options: DENY, Referrer-Policy, Permissions-Policy, Content-Security-Policy, object-src: none).
• →Rate limiting on every public endpoint (contact form: 5 / 10 min / IP; login: 10 / 10 min / IP; TOTP verify: 8 / 5 min / IP; analytics ingest: 300 / min / IP).
• →Common attack-path probes (wp-admin, .env, .git, phpmyadmin) are blocked at the edge before reaching the application.
• →Honeypot field on the contact form to defeat automated spam.
• →All user input passes through schema validation (zod) and is parameterized at the database layer (Drizzle ORM).

Every administrator action — sign-in, sign-out, failed attempt, 2FA enrollment, message read or archived, report exported — is recorded in an append-only audit log with actor identity, source IP, user-agent, and timestamp. The audit log is reviewed periodically.

• →Automated daily database snapshots, retained for 7 days.
• →Snapshots are encrypted with AWS KMS and stored in S3 with multi-AZ redundancy.
• →Recovery procedures are documented and tested at least annually.

• →We do not load any third-party JavaScript on the public site. No Google Analytics, no Meta Pixel, no advertising or fingerprinting scripts.
• →We do not set tracking cookies. The only persistent identifier the site uses is a daily-rotating server-side hash, which resets every 24 hours.
• →We do not store passwords in plaintext, ever. We use Argon2id; we cannot recover a forgotten password — only reset it.
• →We do not ship code to production without TypeScript type checks passing and security-relevant changes reviewed.

The studio is incorporated in the United States and operates under US privacy and consumer-protection law. Our handling of personal data is consistent with applicable principles from GDPR, CCPA, and CPRA, including: lawful basis for processing, data minimization, purpose limitation, access and deletion rights, and breach notification.

Portfolio companies in regulated sectors (healthcare, pharma, communications, etc.) are architected to satisfy category-specific frameworks (HIPAA, GDPR, CCPA, COPPA, TCPA, SOC 2, ISO 27001) as outlined in the AI Venture Studio thesis.

If you discover a security issue with this site or with any Nomisma portfolio company, please report it to security@nomisma.ai. We acknowledge reports within 48 hours and treat all reports confidentially.

Please do not publicly disclose a vulnerability before we have had a reasonable opportunity to address it. We appreciate responsible disclosure and will credit reporters who request it.

Nomisma LLC
30 N Gould St, Sheridan, WY 82801
United States
security@nomisma.ai