Security & Privacy
NorthSignal takes security seriously. Here's exactly what we store, how we protect it, and what we don't touch.
API Key Encryption
When you paste an API key into NorthSignal:
- It is transmitted over a TLS-encrypted connection (HTTPS).
- It is immediately stored in Supabase Vault — a military-grade, AES-256 encrypted storage system.
- Once in the vault, no one at NorthSignal can view your raw API key. Not the developers, not the admins.
- The key is only decrypted momentarily (milliseconds) when a request is made to the AI provider on your behalf.
You can delete your keys from the vault at any time via the Settings Modal.
What Data NorthSignal Stores
| Data | Storage | Encryption |
|---|---|---|
| Your email and name (from Google OAuth) | Supabase Auth | Encrypted at rest |
| Your API keys | Supabase Vault | AES-256 encryption |
| Chat messages | Supabase Database | Encrypted at rest |
| Vector embeddings (for RAG memory) | Supabase Database | Encrypted at rest |
| App preferences (theme, settings) | Supabase Database | Encrypted at rest |
What NorthSignal Does NOT Store
- ❌ Your Google password — We never see it. Google handles authentication entirely.
- ❌ Your Google contacts, files, calendar, or any other services — We only request your basic profile (name, email, avatar).
- ❌ Your API keys in plaintext — Keys are encrypted the moment they enter our system.
- ❌ Anything in your browser's localStorage — Sensitive data is never stored client-side.
Google OAuth Scope
NorthSignal only requests the following OAuth scopes:
openid— Verify your identity.email— Get your email address for your account.profile— Get your display name and avatar.
We do not request access to Gmail, Drive, Calendar, or any other Google service.
Privacy Policy
For the full legal policy, visit our Privacy Policy.
Reporting Security Issues
If you discover a security vulnerability, please report it immediately to support@northsignal.cloud.