Your data is yours.
We mean that.
Here's exactly what security measures are in place today โ and what's coming next. No marketing fluff.
What's in place today
Encryption in transit โ TLS
All data between your browser and our servers is encrypted.
All browser connections use TLS. HTTP requests redirect to HTTPS automatically.
The real-time collaboration WebSocket connection is also encrypted โ your keystrokes never travel in plaintext.
Database connections between the application and PostgreSQL are encrypted.
Secure authentication
Passwords are never stored in plaintext. Sessions are signed and tamper-proof.
Passwords are hashed with bcrypt (cost factor 12) before storage. We never store or log plaintext passwords.
Sessions use signed JWT tokens stored in httpOnly cookies โ not localStorage (which is vulnerable to XSS).
Email verification is required before any account can log in.
Two-factor authentication (TOTP) is available in Settings โ Security. Compatible with Google Authenticator, Authy, 1Password, and any standard authenticator app.
Workspace isolation
Your team's data is completely separated from every other team's data.
Every document and message belongs to exactly one workspace.
Workspace membership is verified on every API request.
There is no way to access another workspace's data through the API.
Invite-only access
No one can sign up without an explicit invitation from an admin.
The platform is invite-only. Admins send invitations by email from the admin dashboard.
Invite tokens are single-use and expire after 7 days.
The email address on the invite must match the email used to sign up.
Encryption at rest
Document content and file attachments are encrypted before being written to disk.
Document content is encrypted with AES-256-GCM before being stored in the database. A stolen database dump is unreadable without the encryption key.
Each encryption operation uses a unique random IV โ the same content encrypted twice produces different ciphertext.
File attachments (images, uploads) are stored in S3-compatible object storage with AES-256 server-side encryption.
EU-based hosting
Your data lives in the European Union.
All servers, databases, and object storage are hosted at Hetzner in Germany (EU).
Data does not leave the EU for processing or storage.
Hetzner is ISO 27001 certified.
Coming soon
These are on our near-term roadmap โ not available yet.
Database Row Level Security
PostgreSQL RLS policies enforced at the database layer โ not just application code. Defense in depth against API bugs.
Audit logs
Full access logs: who viewed, edited, exported, or changed permissions on every document.
SSO / SAML
Single sign-on via Okta, Azure AD, and Google Workspace for enterprise teams.
Security FAQ
Where is my data stored?
All data is stored on Hetzner servers in Frankfurt, Germany (EU). Your documents, messages, and account information never leave the EU.
Can NoteSmith employees read my documents?
Document content is encrypted at rest with AES-256-GCM. Without the decryption key โ which lives only in the server's environment โ stored data is ciphertext. We do not access customer data without consent.
How does 2FA work?
NoteSmith uses TOTP-based 2FA (the same standard as Google Authenticator). Set it up in Settings โ Security. After enabling it, every login requires your password plus a 6-digit code from your authenticator app.
What happens if I forget my 2FA device?
Contact us at [email protected] and we'll verify your identity and disable 2FA on your account.
Do you support SSO?
SSO via SAML, Okta, and Azure AD is on our roadmap. Not available yet. Contact us if SSO is a blocker.
Found a security vulnerability?
Please email [email protected] with details. We take all reports seriously and will respond within 24 hours.
Have a specific security requirement?
We work with teams who have compliance requirements. Let's talk about what you need.