Encryption & Security Architecture

Security Philosophy

Nutan follows a defense-in-depth approach — multiple independent layers of encryption and security, so that compromising one layer doesn't expose your data.

Encryption at Rest

Database Encryption

Your entire local database is protected with industry-standard strong encryption:

• Every page of the database is encrypted.
• The encryption key is generated on your device at first launch.
• The key is stored exclusively in your operating system's secure keychain — never on disk, in a config file, or in the database itself.
• Without the key, the database file is unreadable.

Field-Level Encryption

On top of database encryption, sensitive fields are individually encrypted:

• Contact names and email addresses
• Meeting transcripts
• Knowledge base content
• Any field containing personally identifiable information (PII)

Each encrypted field is authenticated to prevent tampering.

Why Both Layers?

Database encryption protects against someone copying your database file. Field-level encryption protects against application-layer attacks — even if someone bypasses database encryption, individual fields remain encrypted.

Encryption in Transit

All communication between Nutan and external services uses modern TLS:

• API calls to api.nutan.ai are always encrypted.
• CRM and email integrations communicate over encrypted channels.
• Cloud sync data is encrypted in transit.
• Strict transport security prevents downgrade attacks.

Web Surface Hardening

Nutan's web surfaces enforce modern web security standards: strict transport, frame protection, content security policies, MIME-type protection, and restricted browser feature permissions.

Token & Secret Storage

All sensitive credentials are stored in your operating system's secure keychain:

• Database encryption key
• Authentication tokens for CRM, email, and calendar
• Session tokens

The keychain is protected by your operating system using your login password plus hardware-backed security where available.

Never on Disk

Nutan never writes tokens, API keys, or encryption keys to:

• Configuration files
• The database
• Log files
• Temporary files

Blind Email Lookups

Nutan can find contacts by email address without storing emails in searchable plaintext. Email lookups use secure blind indexing — the stored index reveals nothing about the actual email addresses. The email itself is kept only in the encrypted contact field.

Rate Limiting & API Security

• Global rate limit: 100 requests per minute per IP.
• Strict rate limits on sensitive endpoints (auth, sync): 3–10 requests per minute.
• IP addresses are hashed for rate limit tracking — raw IPs are not stored.
• CORS validation restricts which domains can make API requests.

Compliance

Nutan's security architecture is designed for:

• SOC 2 Type II — Access controls, encryption, audit logging
• GDPR — Data minimization, encryption, right to erasure
• CCPA — Data access controls, no data selling
• HIPAA — Encryption at rest and in transit, audit trails
• ISO 27001 — Information security management system alignment