Security

Last updated: May 19, 2026

NuralNest AI is a vault for the documents, photos, and conversations that matter most to your household — insurance, medical records, receipts, family memories. This page describes how we protect that information at every layer of the system, who can access it, and how to report a vulnerability if you find one.

The short version: your data is encrypted in transit and at rest, isolated to your household at the storage layer, never used to train AI models, and never shared with the outside world for advertising, analytics, or anyone's benefit other than yours. Our team cannot read your documents or chats.

1. Where your data lives

All NuralNest AI data is stored in Amazon Web Services (AWS) data centers in the United States (us-east-1, Northern Virginia). We do not replicate or back up data outside the U.S.

Each household gets its own dedicated storage area:

A private Amazon S3 bucket scoped to that household alone
A dedicated semantic-search index for that household's documents
An encrypted metadata record stored alongside the bucket

Storage areas are named with a random per-household identifier, not your email or name. There is no shared "everything" bucket — by design, code paths that read across multiple households do not exist.

2. Encryption

In transit

All connections to NuralNest AI use TLS 1.2 or higher.
HTTP requests are automatically upgraded to HTTPS; cleartext connections are refused.
App-to-server traffic uses certificate pinning to defeat man-in-the-middle attacks on public Wi-Fi.

At rest

Development environment: AWS-managed server-side encryption (SSE-S3). Used for internal testing only; never holds real customer data.
Production environment: Customer-managed AWS KMS keys (SSE-KMS) protect every document, with a separate KMS key protecting account metadata and remembered facts.
In production, only Lambda execution roles can use these keys; developer accounts are explicitly denied decrypt permission by IAM policy.

3. Tenant isolation

Multi-tenant systems most often leak by accident — a query forgets its WHERE clause, a path resolves the wrong way. NuralNest AI is built so that the easy path is the safe path:

Your tenant identifier is read from your authenticated session token on every request. It cannot be passed in a URL, query string, or request body.
Each household has its own S3 bucket; there is no cross-tenant bucket to confuse.
Search indexes are per-household and require an authenticated, tenant-scoped query to be readable.
Pre-signed download links expire 15 minutes after they are issued.
File contents are never accessed by filename — files are stored under randomized identifiers, so even server logs cannot reveal what you uploaded.

4. Access controls

Least privilege: every backend component runs with the minimum AWS permissions it needs and nothing more.
No production data access by default: engineers do not have routine access to customer data. Operational dashboards display request counts and error rates only — never document text or chat content.
Audit logs: every meaningful action (sign-in, upload, document read, chat) is recorded in append-only storage. Production logs are retained for up to six years for environments that may hold HIPAA-eligible records.
Multi-factor authentication is required for every internal AWS account.

5. Authentication

Accounts are protected by Amazon Cognito. Passwords are hashed by Cognito; we never see them.
Sessions use short-lived JSON Web Tokens with automatic refresh. Tokens are stored in the platform's secure enclave on mobile (iOS Keychain / Android Keystore).
You can sign out of all devices at any time from Settings → Sessions in the app.
Sign in with Apple, magic-link email, and passkeys are on the roadmap — see Terms for the current set of supported sign-in methods.

6. Subprocessors

NuralNest AI is built on a small set of carefully chosen vendors. Each is bound by a written agreement that restricts use of your data to providing service to us. We do not sell or rent your data to any of them.

Vendor	Service	Region
Amazon Web Services	Hosting, storage (S3), authentication (Cognito), AI inference (Bedrock with Anthropic, Amazon, and other foundation models), text extraction (Textract), audio transcription (Transcribe), key management (KMS), edge delivery (CloudFront), web application firewall (WAF)	US East
Tavily	Public-web search for the chat assistant when you ask about current events, news, or anything outside your vault. Your search query is sent; your vault content is not.	United States
WeatherAPI.com	Current weather conditions for chat queries like "what's the weather right now?" Only the location (city or approximate coordinates) is sent; nothing else.	United States

As the Service grows, we may add subprocessors for features like calendar and email integration. Any addition will be reflected on this page and announced in advance to households with paid plans.

7. HIPAA posture

NuralNest AI is architected to be HIPAA-eligible — meaning the technical controls (encryption, audit logging, isolation, minimum-necessary access) align with the HIPAA Security Rule. Several administrative steps remain before NuralNest AI can be used as a Business Associate of a covered entity, including signed Business Associate Agreements with each subprocessor.

Today NuralNest AI is intended for personal household use: you uploading your own family's records. It is not currently offered to healthcare providers, payers, or clearinghouses, and no PHI should be uploaded by such entities until we explicitly publish a HIPAA-readiness statement on this page.

8. Vulnerability reporting

If you believe you have found a security issue in NuralNest AI, we want to hear from you. Please email security@nuralnest.com with:

A description of the issue and the potential impact
Steps to reproduce, if possible
Your contact information so we can follow up

We will acknowledge receipt within two business days and keep you informed as we investigate. We do not currently run a paid bug bounty program, but we publicly credit researchers who report valid issues, with your permission.

Please give us a reasonable window to remediate before any public disclosure, and avoid accessing data that does not belong to you. We will not pursue legal action against good-faith research conducted under this policy.

9. Incident notification

If we ever experience a security incident involving your personal information, we will notify affected users without undue delay and within the timelines required by applicable law. Notifications will describe what happened, what information was involved, what we have done, and what you can do.

10. What we will never do

We will never sell, rent, or share your personal information with the outside world for advertising, analytics, training data, or any other purpose. The only vendors that ever touch your data are the service providers listed in §6, and each is contractually prohibited from using it for their own purposes.
We will never use your vault content or chat messages to train AI models — ours or anyone else's.
We will never show ads in NuralNest AI or share data with ad networks, data brokers, or analytics partners.
Our team will never browse your vault content as part of routine operations.

11. Updates to this page

Security practices evolve. Material changes to encryption, subprocessors, or access controls will be reflected here and the "Last updated" date at the top of the page will move forward. For broader changes to how we handle personal information, see the Privacy Policy.

12. Contact

Security questions or reports: security@nuralnest.com
Privacy questions or requests: privacy@nuralnest.com

United Dream Homes LLC
2300 Olympia Dr. #271761
Flower Mound, TX 75027, USA