Niitaka

Security

Your agent data, protected

Niitaka is built for production engineering teams who can't afford to compromise on data security. Here's exactly how we protect your data.

Encryption

In Transit

  • All traffic over HTTPS / TLS 1.2+
  • Enforced at both Vercel (frontend) and Railway (backend)
  • No plaintext fallback — HTTP is redirected

At Rest

  • AES-256 encryption for all stored data
  • Managed by Supabase (Postgres on AWS)
  • Database backups encrypted with the same key

Access Controls

Row-Level Security

  • Every table enforces org-scoped RLS in Postgres
  • No cross-tenant data leakage — enforced at the DB layer, not just application code
  • Verified on all 27 tables before production launch

Audit Logging

  • Every API request logged with user, IP, path, and outcome
  • Superadmin (break-glass) access flagged separately
  • Per-org audit trail available to org admins

Authentication & Authorization

  • RBAC with admin / developer / viewer roles per org
  • JWT tokens (8-hour lifetime) + API key auth for SDK
  • TOTP MFA with single-use backup codes (bcrypt-hashed)
  • 15-minute inactivity timeout with server-side token revocation

Data Handling

We never train on your data

Niitaka is an observability layer. Your agent session data, LLM prompts, and tool outputs are never used to train models or improve any AI system.

You own your data

Export your full data at any time from account settings. Delete your account and all associated data via the GDPR right-to-erasure endpoint — data is hard-deleted within 30 days.

Minimum necessary access

Niitaka staff have no routine access to your session data. Emergency superadmin access (break-glass) is logged, time-bound, and requires documented justification.

Compliance

Our compliance posture is designed for enterprise engineering teams.

GDPR

Active

Data export, right-to-erasure, privacy policy, and DPA available for EU customers.

HIPAA

In Progress

Technical safeguards complete (MFA, audit log, inactivity timeout, break-glass). BAA available for healthcare customers — contact us.

SOC 2 Type 2

Planned

Observation period planned for post-launch. We will engage a qualified auditor within 6 months of general availability.

Infrastructure

Database

Supabase

Managed Postgres on AWS — SOC 2, ISO 27001

Backend

Railway

US region — isolated container per deployment

Frontend

Vercel

Edge network — SOC 2, GDPR compliant

Vulnerability Disclosure

If you discover a security vulnerability, please report it responsibly to security@niitaka.ai. We aim to acknowledge reports within 48 hours and resolve critical issues within 7 days. We do not currently offer a bug bounty programme, but we will acknowledge responsible disclosures.

Questions about security?

We're happy to provide a security questionnaire response, discuss BAA requirements, or walk through our controls with your security team.

Contact security@niitaka.ai