Security

Read-only access.
Sovereign by design.

NOFire reads. It does not write. Customer data is processed inside your VPC, the Context & Control Model never leaves your control plane, and every autonomous action is bound to a policy you wrote.

AICPA
SOC 2
Type II · ready
GDPR
EU · UK
Enterprise-grade security

Independently verified, top to bottom.

Layered controls across encryption, infrastructure, identity, and process. Audited annually; reports available under NDA.

SOC 2 Type II ready

Audit-ready against the SOC 2 Type II framework: security, availability, and confidentiality. Report in flight.

Request status →
GDPR & UK GDPR

Standard DPA, SCCs, and a published sub-processor list. EU and UK data residency.

Request DPA →
Audit logs

Immutable, tamper-evident logs of every action. Streamed to your SIEM as signed receipts.

Encryption

TLS 1.3 in transit. AES-256 at rest. Customer-managed keys via KMS on Enterprise.

Sub-processors

A short, published list of vendors. We notify you 30 days before adding a new one.

Deployment

SaaS, or run it inside your own cloud.

Same product. Same controls. Choose the boundary that fits your security posture.

NOFire CloudSaaS

Multi-tenant SaaS hosted by NOFire. Fastest path to value.

  • Region-bound (US, EU)
  • Tenant-isolated data planes
  • Customer-managed keys (Enterprise)
  • SOC 2 Type II ready · GDPR
Bring your own cloudBYOC

NOFire Edge runs inside your VPC. Your data and the Context & Control Model never leave your network.

  • Deploys via Terraform / Helm
  • Private connections only, no inbound
  • Customer KMS & private registry
  • Air-gapped option on Enterprise
Identity & access

Bound to your IdP. Scoped to the work.

Every operator and every agent is identified, scoped, and auditable. Bring your existing identity provider.

SSO & SAML

Okta, Google, Azure AD, Auth0, OneLogin, Ping. SCIM provisioning included.

Role-based access

Map IdP groups to scoped roles. Read, query, propose, act: separate permissions.

Policy-bound action

OPA-style policies gate every autonomous action. Scope by service, env, and condition. Signed audit & runtime enforcement patterns →

Session controls

Configurable session lifetimes, IP allowlists, and just-in-time elevation for sensitive scopes.

Data & privacy

Designed to use your data without compromising it.

Read-only by default. PII redacted before it reaches the model. Your data is never used to train cross-customer systems.

Read-only access

Scoped read against tracing, metrics, logs, and Kubernetes APIs. No write tokens. Ever.

PII redaction

Pattern-based redaction for emails, tokens, and secrets. Allowlists configurable per connection.

No model training

Your data is never used to train, fine-tune, or improve any cross-customer model.

Tenant isolation

Per-tenant Context & Control Model. No data, embeddings, or schemas are shared across customers.

Talk to security.
Bring your questionnaire.

Book a demo