Security

How we protect customer data and our infrastructure.

Security is an operational discipline, not a one-time review. The summary below describes how we run the platform; technical details are available on request to [email protected].

Last updated: May 2026

Infrastructure

Nastia operates a distributed inference platform across multiple cloud regions in the United States and the European Union. All customer data is encrypted at rest using AES-256 and in transit using TLS 1.3 or higher. Production workloads are tenant-separated; staging and production environments are fully isolated.

Application security

We follow a secure software development lifecycle. Every change to production code is reviewed by a second engineer before merge. Secrets are managed through a centralized secret store and never committed to source control. Production access is logged and audited.

Identity and access

All employees and contractors use single sign-on with hardware-backed multi-factor authentication. Access to production systems is granted on a least-privilege basis, time-bound, and reviewed quarterly. Offboarding is automated.

Payment processing

All payment processing for Nastia is handled by Stripe Payments Europe Ltd., a PCI DSS Level 1 certified payment processor. Nastia does not store, process, or transmit cardholder data on its own infrastructure. Card details are tokenized at the point of capture and never reach our servers. Refunds and disputes are processed through Stripe.

Data handling and retention

We collect the minimum data necessary to operate the service. Conversation content is encrypted at rest and stored only as long as required to provide continuity to the user. Users may request deletion of their account and all associated data at any time, through their account settings on the consumer product or by writing to [email protected].

Compliance

Nastia is subject to the European Union General Data Protection Regulation (GDPR) and the laws of France, where Nastia Research are registered. We are pursuing SOC 2 Type II certification for our research and infrastructure operations. We do not currently hold a SOC 2 attestation.

Sub-processors

  • Stripe Payments Europe Ltd.
    Payment processing, billing, fraud detection.
  • Cloud infrastructure providers
    Compute, storage, and networking for the inference platform.
  • Email and customer support tooling
    Operational communication, transactional email.
  • Analytics and observability tooling
    Aggregate, anonymized usage analytics; error monitoring.

A complete and current list of sub-processors, including legal entity names and processing locations, is available on request to [email protected].

Vulnerability disclosure

If you believe you have found a security issue affecting Nastia, please write to [email protected]. We respond within two business days and aim to resolve confirmed issues within 30 days. We ask researchers to refrain from public disclosure for a reasonable period to allow for remediation. We do not currently operate a paid bug bounty program but recognize meaningful contributions in our public acknowledgments.

Incident response

We maintain an internal incident response process and notify affected users and applicable regulators in line with GDPR Article 33 in the event of a personal data breach. The team responsible for incident response is on call across European and North American hours.

Questions

For questions about this policy or our security practices in general, please contact [email protected].