Built to keep your inbox, your receipts, and your books safe

1. We don't read your inbox

Most receipt-capture tools ask for full Gmail or Outlook OAuth access — the kind that lets them read every email you have ever received. Nomad deliberately does not. Instead, every workspace gets a unique inbound email address. We only ever see what you (or a forwarding rule you control) explicitly send to that address.

• One-way forwarding — no read access to your mailbox.
• You can change, delete, or pause your forwarding rules at any time.
• Rotating the inbound address invalidates the old one immediately.

2. Encryption

• In transit: All connections to Nomad use TLS 1.2 or higher. Modern browsers and mobile clients negotiate TLS 1.3 by default.
• At rest: Database content, receipt and invoice files, and backups are encrypted at rest using AES-256.
• Secrets management:Production credentials live only in our hosting provider's secrets store and are never embedded in code or distributed to client devices.

3. Authentication and access control

• Passwords are stored as salted hashes; we never store plaintext passwords.
• Sessions use short-lived access tokens with refresh-token rotation, secured with HTTP-only cookies on the web and platform secure storage on mobile.
• Magic-link sign-in is supported for passwordless flows.
• Workspace data is isolated using row-level security in the database — every query enforces the caller's workspace and role at the database tier, not just the application layer.
• Five-level role permissions (owner, admin, manager, member, viewer) gate every administrative action. Sensitive actions (regenerating an inbound address, removing a member) are restricted to owner/admin.

4. Data residency and subprocessors

Customer data is hosted on managed infrastructure in Canada and the United States. We use a small, vetted list of subprocessors to deliver core service functionality — each is bound by data-processing terms and reviewed before being put into production:

• Database, storage, authentication, and edge functions (managed Postgres provider)
• Application hosting (managed Node.js host)
• OCR processing (cloud worker, optional on-device fallback)
• Inbound mail handling (transactional email provider)
• Payments and subscriptions (Stripe)
• Crash reporting (where enabled)

The full and current list is available on request from security@nomad-finance.com.

5. Audit logs and monitoring

• Authentication events, role changes, sensitive administrative actions, and billing changes are recorded in an audit log retained for security investigation.
• Rate limits protect login, password reset, signup, and billing endpoints from automated abuse. Inbound-mail traffic is rate-limited per workspace address.
• Webhook endpoints (Stripe billing, inbound mail) require strong authentication and reject unauthenticated traffic before any processing.

6. Incident response

If we become aware of a security incident affecting customer data, we follow a defined response process: contain, investigate, remediate, and notify. Where a notifiable breach has occurred, we will notify affected workspace owners without undue delay and provide the information required by applicable law.

7. Compliance posture

Nomad is built to support common privacy and security frameworks:

• GDPR / Canadian PIPEDA / Quebec Law 25: access, correction, and deletion rights are honored on request. See our Privacy Policy for the full description.
• SOC 2: our control framework is designed against SOC 2 Trust Services Criteria. A formal Type II audit is planned; speak to us if you need our current readiness package.
• Data Processing Addendum (DPA): available on request for customers that need a DPA in place to process EU, UK, or Canadian personal data.

8. Vulnerability disclosure

If you believe you have found a security vulnerability in Nomad, please report it to security@nomad-finance.com. We investigate all reports promptly and ask researchers to give us reasonable time to remediate before public disclosure. We do not pursue legal action against good-faith security research conducted within the scope described in that response.