Security

How we protect your interview data.

Data protection

  • Encryption in transit. All data is transmitted over TLS 1.2+. Every API call, webhook, and browser connection is encrypted.
  • Encryption at rest. Interview feedback, OAuth tokens, and personally identifiable data are encrypted at rest in our database.
  • Workspace isolation. Each Slack workspace's data is logically isolated. One workspace cannot access another's interviews, feedback, or settings.
  • No training on your data. Interview feedback is never used to train AI models. We use AI solely to structure your feedback in real time.

Infrastructure

  • Database. Hosted on Supabase (AWS eu-central-1, Frankfurt, Germany). Data stays in the EU.
  • Application. The Slack bot runs on Railway (US East) behind Cloudflare. The web app and landing site are on Vercel's edge network.
  • Authentication. Slack OAuth 2.0 for bot installation. Google OAuth 2.0 (read-only calendar scopes) for interview detection. Supabase Auth for the recruiter dashboard.
  • Payments. Processed by Stripe. We never store card details.

GDPR compliance

  • Lawful basis. We process data under legitimate interest (providing the service you signed up for) and contract performance. Full details in our Privacy Policy.
  • Data subject rights. You can request access to, correction of, or deletion of your data at any time by emailing owen@nudgebot.ai. We respond within 30 days.
  • Sub-processors. We maintain a public list of all third parties that process data on our behalf. See Sub-processors.
  • Data retention. Feedback is retained while your account is active. On deletion or account closure, data is purged within 30 days.
  • International transfers. Where data is processed outside the EU (e.g. Anthropic for AI structuring), we rely on Standard Contractual Clauses.

Access controls

  • Least privilege. Google Calendar access uses read-only scopes. The bot only accesses what it needs.
  • Signed requests. Every Slack event is verified using request signing to prevent tampering. Stripe webhooks are verified with signature validation.
  • Row-level security. Database access is scoped per company. Service-level keys are never exposed to the browser.

Responsible disclosure

If you discover a security vulnerability, please report it responsibly. We take all reports seriously and will respond promptly.

  • Contact: security@nudgebot.ai
  • Response time: We will acknowledge your report within 48 hours and provide a timeline for resolution.
  • Scope: nudgebot.ai, app.nudgebot.ai, bot.nudgebot.ai, and all associated APIs.
  • Out of scope: Social engineering, phishing, denial of service, and third-party services we use.

Company details

Northwall Technologies Ltd
Company number: 16873407
Registered in England and Wales