Security & Trust
Nikki processes some of the most sensitive data you have — your email. Here is exactly how we handle it.
Data isolated per-user by design. EU-friendly infrastructure. Every external action logged and guardrailed.
Each user's data is separated by design and verified by automated IDOR tests on every deployment. No cross-user leakage, by architecture.
OAuth tokens and credentials encrypted at rest.
Every tool action, API call, and data access logged with correlation IDs.
External actions run through guardrails with dry-run, approval, and undo controls.
Email content is sent to supported LLM API providers for entity extraction and conversational queries. Under vendor DPAs, data submitted via API is not used to train models and is not retained beyond the request lifecycle. We do not route data to any LLM provider that retains training data.
Nikki is built with GDPR as a first-class requirement — data minimization, purpose limitation, and user rights (access, export, deletion) are implemented features, not afterthoughts. SOC 2 Type 1 audit is in progress. Data Processing Agreements (DPAs) are available upon request for EU-based customers.
You can export your knowledge graph and account data at any time. We provide exports in machine-readable formats. When you cancel, your data is deleted within 30 days and backup snapshots are purged within 90 days.
In the event of a security incident, we will notify affected users within 72 hours of discovery — consistent with GDPR requirements. We maintain an incident response runbook, isolate affected systems immediately, and provide a post-incident report to affected customers within 30 days.
The Nikki backend enforces protections against common vulnerabilities: SSRF (private/internal URLs are rejected in web fetch tools), graph query injection (entity types validated against enums before graph database interpolation), SQL injection (LIKE wildcards escaped in all search parameters), and rate limiting on authentication endpoints.
All traffic between browsers, backend services, and downstream providers is encrypted with TLS 1.2+. OAuth 2.0 is the only supported authorization mechanism for third-party data sources — Nikki never sees or stores your provider passwords.
If you discover a security vulnerability in Nikki, we want to hear from you. We commit to acknowledging your report within 48 hours, working with you to understand and validate the issue, and fixing confirmed vulnerabilities promptly.
Please do not publicly disclose vulnerabilities before giving us a reasonable opportunity to respond. We will not take legal action against researchers who act in good faith.
Report a vulnerability — [email protected]If you have specific compliance requirements, need a DPA, or want to discuss our security posture before signing up — reach out directly.
Contact us