naffe.ai
Security at naffe.ai

Enterprise-grade security, by default

Security is not an afterthought at naffe.ai. Every layer of our platform is designed to protect your data, your customers' data, and your business. From encryption at rest and in transit to strict access controls and continuous monitoring, we build security into everything we do.

AES-256

Encryption at rest

TLS 1.2+

Encryption in transit

EU (Europe)

Data residency

99.9%

Uptime target

Data Encryption

All data is encrypted both at rest and in transit. We use industry-standard AES-256 encryption for stored data, including all credentials, tokens, and sensitive configuration. Every connection to naffe.ai is protected by TLS 1.2 or higher, ensuring your data cannot be intercepted or tampered with during transmission.

  • All stored credentials and tokens are encrypted with AES-256 before reaching the database
  • Encryption keys are stored separately from encrypted data, managed through secure environment isolation
  • All API communication is encrypted with TLS 1.2+, including internal service-to-service calls
  • HTTPS is enforced across all endpoints with no exceptions

Data Isolation and Multi-Tenancy

naffe.ai is built as a multi-tenant platform with strict data isolation between customers. Every data operation is scoped to the authenticated user, and our database enforces row-level access controls that prevent any cross-tenant data access, even in the event of an application-level vulnerability.

  • Row-level security policies enforce strict tenant isolation at the database layer
  • Published applications are isolated with per-site data boundaries
  • Backend resources provisioned for your apps are scoped exclusively to your deployment
  • No customer can access, query, or modify another customer's data, applications, or configuration

Authentication and Access Control

We use secure, session-based authentication with no plaintext password storage. All sessions are cryptographically signed and validated on every request. Rate limiting is enforced across all endpoints to prevent brute force attacks, credential stuffing, and abuse.

  • Secure session management with cryptographically signed tokens
  • Rate limiting on all API endpoints to prevent abuse and automated attacks
  • Every API call is authenticated and authorized before processing
  • No API keys are ever exposed to end users or client-side code

Third-Party Integration Security

When you connect external services like Google, Stripe, or Slack, naffe.ai uses the industry-standard OAuth 2.0 protocol. We never see or store your passwords. You authorize access directly with the service provider, and you can revoke access at any time.

  • OAuth 2.0 for all third-party service connections - we never handle your passwords
  • Minimal permission scopes - we only request the access needed for the features you use
  • All OAuth tokens are encrypted at rest and decrypted only at the moment of use
  • Automatic token refresh with secure credential rotation
  • One-click disconnect permanently deletes stored tokens

AI and Data Privacy

naffe.ai uses AI to generate and edit software on your behalf. We take your data privacy seriously and have strict controls around how your data interacts with AI systems.

  • Your data is never used to train AI models. Our AI provider contractually guarantees that API inputs and outputs are not used for model training
  • All AI interactions are proxied through our backend - no direct client-to-AI communication
  • Credit-based usage metering prevents unauthorized or excessive AI consumption
  • AI-generated applications are owned entirely by you - we claim no rights to your content

Infrastructure Security

Our platform runs on enterprise-grade cloud infrastructure with SOC 2 Type II certified providers. We leverage the security investments and certifications of industry-leading cloud platforms to deliver a secure, reliable, and performant service.

Our infrastructure partners

Application Hosting

SOC 2 Type II certified

Global edge network with automatic failover

Database and Auth

SOC 2 Type II certified

EU data residency, encrypted backups

AI Processing

SOC 2 Type II certified

Zero data retention for training

  • All infrastructure providers maintain SOC 2 Type II compliance
  • Primary data storage in the European Union with encrypted backups
  • Automated deployment pipeline with integrity verification
  • Continuous monitoring and automated alerting for anomalous activity
  • Health checks and observability across all critical service paths

Deployment Safety and Rollback

When you publish an application through naffe.ai, we take steps to ensure the deployment is safe, reversible, and verified.

  • Every deployment creates a versioned snapshot - you can roll back to any previous version instantly
  • Staging preview lets you see exactly what will go live before publishing
  • Deployment plans are checksummed and verified to prevent tampering between review and publish
  • Backend provisioning uses least-privilege access policies for all database tables and storage

Application Security Practices

Our development practices are designed to prevent common security vulnerabilities and ensure the integrity of the platform.

  • Automated test suite running on every code change through continuous integration
  • Protection against OWASP Top 10 vulnerabilities including injection, XSS, and CSRF
  • No secrets, API keys, or credentials in client-side code - all sensitive operations are server-side
  • Environment-based secret management with strict access controls
  • Dependency monitoring and regular security updates

Compliance and Governance

naffe.ai is operated from Denmark, EU, and is built to comply with major international data protection regulations.

GDPR

Full compliance with the EU General Data Protection Regulation. EU data residency for primary storage. Data Processing Addendum available.

CCPA / CPRA

Compliant with the California Consumer Privacy Act and California Privacy Rights Act. We do not sell or share personal data.

Google API Services

Adherent to the Google API Services User Data Policy, including Limited Use requirements. No Google data used for advertising or training.

Data Residency

Primary database infrastructure located in the European Union. International transfers protected by Standard Contractual Clauses and adequacy decisions.

Data Handling Commitments

  • We never sell your data.Your data is used exclusively to provide the service you requested. Period.
  • No advertising. No tracking.We do not use cookies for advertising, behavioral tracking, or cross-site profiling.
  • Your content belongs to you.Everything you create on naffe.ai is your intellectual property. We claim no ownership rights.
  • Delete anytime.Disconnect a service and tokens are permanently deleted. Delete your account and all data is removed within 30 days.
  • Breach notification.In the unlikely event of a data breach, we will notify affected users and relevant authorities within the timeframes required by GDPR (72 hours).

Responsible Disclosure

We welcome responsible security research. If you discover a potential security vulnerability, please report it to us so we can address it promptly.

Report security issues to:

security@naffe.ai

We will acknowledge receipt within 24 hours and aim to provide an initial assessment within 72 hours.

Related Policies

Privacy PolicyTerms of ServiceData Processing AddendumCookie Policy

Last updated: March 2026