Skip to main content
§1
SECURITY PACK · v0.1 · 04 May 2026

Compliance is the product.

Nansy is built for legal practice operating under Israeli law. The Bar Association rules, the Privacy Protection Law, GDPR — these aren’t features; they’re the constraints the product was shaped around. What follows is the security pack: posture, evidence, dates.

See the obligationsEmail security@nansy.io
§2
§2 · Posture summary

Five claims, made plainly.

The full record sits in §3. Before that, the five things a partner actually wants to know — without the marketing register.

Tenancy
Application-layer isolation today; RLS gated on review.

Multi-tenant on shared Postgres. Tenant scoping is enforced at the runAction and requireApi chokepoints — single-callsite auditable. RLS is wired but disabled until external security review of the JWT-claim bridge completes. No external customer ships before that gate clears.

Encryption
At rest, in transit, in tools.

TLS 1.3 in transit. AES-256-GCM with AAD-bound rotation for SecretaryConversation rows. Integration OAuth tokens encrypted with a separate key. Cron secrets verified in constant time. Pre-commit secret-scan + migration-safety gates.

Audit
Append-only, signed, 7-year retention.

Every AI generation, every secretary action, every status mutation writes a row. Rows survive tenant deletion in anonymized form, retained for the seven years the Israeli Bar requires. Filterable by rule, actor, surface — exportable to CSV/JSON.

AI containment
No model leaves the cage.

Anthropic Claude 4.x via API, with a signed Data Processing Agreement. No tenant data used to train any model. Confirm-before-execute on destructive secretary tools. Every output is signed by the partner of record. Module 25 AI-prepared content footer applied platform-wide.

Honest non-claims
What we are not — yet.

No SOC 2 (planned post-tenant-2). No ISO 27001. No HIPAA — out of scope for IL legal. Pentest pending before first paid tenant + annual after. RLS pending external review. We name what’s not in place because pretending otherwise is exactly the disposition this product is supposed to push back on.

§3
§3 · Ratification

Obligations, named. Status, current.

Each obligation, dated. Each obligation’s evidence, linked. Live means in production. In progress means actively worked. Queued means deliberately deferred — and §2 will tell you why. Conditional means dependent on tenant action.

Israeli lawBar Association · Privacy Protection Law
ISR-BAR-8
Rule 8 advertising scanner · publish gate enforced across Hebrew, Arabic, English. Catches superlatives, comparative claims, guarantees of outcome.
exhibit A →
live
ISR-BAR-19
Rule 19 — AI disclosure & privilege. AI-prepared content surfaces an inline disclosure. Privileged communication never enters training data. 7-year retention applied to relevant artifacts.
policy · §8 audit
live
ISR-PPL-13
Privacy Protection Law, Amendment 13 (eff. 2025-08-14). NAS exempt from registration; memo-to-file lodged. Tenants determine their own §17B obligations — the engagement letter clarifies the exemption is not assignable.
memo · docs/legal/ppl-13-memo.md
conditional
ISR-DSR
Data subject rights workflow. Access, rectification, erasure, restriction, portability, objection. Standard response window: 30 days.
§7 rights
live
European UnionGDPR · AI Act
EU-GDPR-12
Articles 12–14 · transparent information, communication in plain language, response within statutory periods.
privacy notice · /privacy
live
EU-GDPR-28
Article 28 · Data Processing Agreements. DPAs in place with Anthropic (signed), Supabase (signed). Customer DPA available on request as part of contracting.
DPA · on request
live
EU-GDPR-35
Article 35 · DPIA. Data protection impact assessment in progress. Scope: AI-assisted drafting, automated rule-enforcement, sub-processor inventory, cross-border transfers.
DPIA · on request
in progress
EU-GDPR-37
Article 37 · Data Protection Officer. DPO designated internally. External DPO retained for tenant DPIAs on request.
contact · dpo@nansy.io
live
EU-AI-MOD-25
EU AI Act, Module 25. AI-prepared content footer applied platform-wide; disclosure threaded into every artifact a downstream party might rely on.
policy · public
live
Tenancy & ArchitectureMulti-tenant data isolation
RLS-MULTI
Postgres row-level security · wired but not yet active. Application-layer enforcement at runAction / requireApi today. RLS gated on JWT-claim bridge + external security review before any external customer ships.
§2 tenancy
queued
TENANT-LIFECYCLE
Atomic provisioning & deletion. Tenants created in a single Prisma transaction. Deletion triggers a 7-year audit snapshot before cascade — irreversible after grace period.
runbook · internal
live
ENC-AT-REST
AES-256-GCM, AAD-bound for sensitive rows (SecretaryConversation). Per-row authentication tag prevents cross-row plaintext substitution.
§4 architecture
live
ENC-IN-TRANSIT
TLS 1.3 on every public surface; HSTS preload; modern cipher suite enforced.
test · ssllabs · A+
live
CSP
Content Security Policy on marketing surface; nonce-refactor on dashboard pending (current: unsafe-inline, tracked debt).
debt · CSP-NONCE-1
in progress
OperationalPentest · Backups · Vulnerability disclosure
PENTEST-EXT
External penetration test · scheduled before first paid tenant onboarding. Annual cadence after. Report extracted to tenants on request under NDA.
vendor · in selection
queued
BACKUPS-PITR
Point-in-time recovery via Supabase Pro. Daily logical pg_dump archived 30 days. Restore SLO: 4h. Quarterly drill.
runbook · docs/INCIDENT_RESPONSE.md
live
VULN-DISC
Coordinated vulnerability disclosure. Acknowledgement within 48h. Severity triage within 5 business days. Researcher coordination via security@nansy.io.
security@nansy.io
live
SOC-2
SOC 2 Type II · planned post tenant-2. Enterprise tenants requiring SOC 2 today: contact us about a parallel attestation track.
timeline · 2026 H2
queued
posture as of 2026-05-04 · pack-2026-Q2request the full pack →
§4
§4 · Data flow

Where data sits. How it moves.

Every layer named, every region named, every key class named. The honest answer to “where is my client data” — not the one with the marketing flourishes around it.

Client
Browser
TLS 1.3
Edge
Vercel
eu-central-1
Database
Supabase Postgres
eu-central-1
Edge logs
Vercel access logs · 30-day retention · no request bodies
eu-central-1
App data
Postgres on Supabase · Frankfurt region · daily PITR
eu-central-1
Sensitive rows
AES-256-GCM, AAD-bound · key in ENCRYPTION_KEY · rotated on tenant deletion
eu-central-1
OAuth tokens
AES-256-GCM · separate key INTEGRATION_ENCRYPTION_KEY · per-tenant scoping
eu-central-1
Object storage
Supabase Storage · per-tenant bucket prefix · server-side encryption
eu-central-1
AI calls
Anthropic API · DPA signed · no training on tenant data
us-east-1*
Email
Resend · transactional only · DKIM/SPF/DMARC enforced
us-east-1*
Telemetry
PostHog · self-host option for Practice+ tier · no PII in events
eu-central-1

* Anthropic and Resend operate from US regions. Cross-border transfers governed by SCCs and the EU–US Data Privacy Framework. Tenants requiring EU-only AI inference: contact us about Anthropic’s EU residency offering.

§5
§5 · Sub-processors

Who else touches the data.

Every external party that processes tenant data, with purpose, region, and data class. Material additions are notified to tenants 30 days in advance — a tenant may object and pause the change for their account.

Vendor
Purpose
Region
Class
Vercelvercel.com
Hosting · edge · CDN · build pipeline
eu-central-1
app · logs
Supabasesupabase.com
Postgres · auth · storage · realtime
eu-central-1
app · auth
Anthropicanthropic.com
Claude API · AI generation · DPA signed
us-east-1
prompt
Resendresend.com
Transactional email · inbound webhook for support
us-east-1
email
PostHogposthog.com
Product telemetry · funnel · feature flags
eu-central-1
events
Sentrysentry.io
Error tracking · performance monitoring
eu-central-1
errors
Better Stackbetterstack.com
Synthetic uptime · status page
eu-central-1
probes
Cardcomcardcom.solutions
Israeli payments · invoice issuance (חשבונית מס)
il-central
billing
Cloudflarecloudflare.com
DNS · DDoS protection
global edge
network

notification list · subscribe · 30-day advance notice on additions

§6
§6 · Retention schedule

Every record has a clock.

Retention is enforced by a daily cron at 03:00 UTC against computeExpiresAt. The audit log retention overrides everything else: seven years, signed, surviving even tenant deletion in anonymized form.

Record class
Period
Trigger
Lead Lead
24 months
post-last-contact
Secretary conversation SecretaryConversation
90 days
rolling, post-last-message
Cookie consent CookieConsent
36 months
post-recording
Subscriber (inactive) Subscriber
90 days
post-inactivity
Data rights request DataRightsRequest
12 months
post-completion
Audit log AuditEvent
7 years
Bar Association · survives tenant deletion
Tenant cold snapshot TenantSnapshot
7 years
post-tenant-deletion
§7
§7 · Rights

Six rights. One inbox.

Data subject rights under GDPR and the Israeli Privacy Protection Law. File any of these to privacy@nansy.io — or for tenant-side data, the firm whose engagement you’re under. Standard response: 30 days.

Right of access
See what we hold.
A complete export in machine-readable form, including the audit entries that touch your record. Free of charge, once per twelve months.
response · 30 days
Right to rectification
Correct the record.
Inaccurate or incomplete data is corrected on request, with the prior version preserved in the audit log for the seven years required.
response · 30 days
Right to erasure
Be forgotten.
Records are deleted unless retention is required by law (audit, tax, regulatory). What’s preserved becomes anonymized; what’s deleted is irreversible after grace.
response · 30 days · cascade ≤ 7 days
Right to restriction
Pause processing.
While a dispute is open or accuracy is contested, processing is restricted — the data sits, but isn’t acted on or sent to AI.
response · 7 days
Right to portability
Take it with you.
Structured, commonly used, machine-readable export — JSON or CSV, your choice — covering data you provided directly.
response · 30 days
Right to object
Withdraw consent.
Object to specific processing — direct marketing in particular is honored without exception. Where legitimate interests are claimed, we set out the basis.
response · 30 days · marketing · immediate
§8
§8 · Incident response

If something goes wrong, here’s how it goes.

The promise is not that incidents won’t happen — it’s that they’re named, communicated, and recorded. Tenant notification is a contractual obligation, not a courtesy.

T+0
Detection & triage
Page on-call. Severity classification: SEV-1 (data exposure / availability), SEV-2 (degraded service), SEV-3 (limited impact). SEV-1 acknowledgment within 15 minutes.
T+1h
Containment
Stop the bleeding. Isolate affected systems, rotate credentials if relevant, freeze writes if integrity is in question. Status page status.nansy.io updated within 30 minutes of confirmation.
T+4h
Tenant notification (SEV-1)
For confirmed SEV-1 with potential tenant data impact: direct email to tenant ADMIN within 4 hours. Working details — what we know, what we don’t, what we’re doing. No marketing softening.
T+72h
Regulatory notification
Where GDPR Article 33 or Israeli PPL §17B applies, supervisory authority notified within 72 hours of awareness. Affected data subjects notified without undue delay where high risk.
T+30d
Post-incident review
Public post-mortem on the status page. Root cause, timeline, what changed, what stays open. Filed in docs/INCIDENTS/ internally, available to tenants under DPA.
§9
§9 · Contracting

Counsel-grade questions get counsel-grade answers.

The pack above is what we publish. The full contracting bundle — customer DPA, security questionnaire responses, sub-processor change feed, pentest report under NDA, incident-response runbook — comes with the contract conversation.

Email security@nansy.ioBack to the product