NeuraNote

Security & Compliance

Your data security is our top priority. Learn how we protect your information.

Our Security Commitment

At NeuraNote (operated by XALTRAX INC.), we implement enterprise-grade security measures to protect your personal information and study materials. We understand that your educational content is sensitive and confidential.

We follow industry best practices, maintain compliance with major privacy regulations, and continuously monitor our systems for potential vulnerabilities.

End-to-End Encryption

All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption

Secure Data Storage

Your files are stored on MongoDB Atlas and Cloudflare R2 with enterprise security controls

Privacy by Design

Your study materials never train external AI models. We use AI only for inference.

Infrastructure Security

Hosted on Vercel with DDoS protection, rate limiting, and automated backups

Access Controls

Multi-factor authentication, role-based access, and principle of least privilege

Regular Audits

Continuous security monitoring, penetration testing, and vulnerability assessments

Technical Security Measures

Encryption

  • In Transit: TLS 1.3 encryption for all data transmission
  • At Rest: AES-256 encryption for stored documents and databases
  • Key Management: Secure key rotation and hardware security modules (HSM)

Authentication & Authorization

  • Industry-leading authentication via Clerk with OAuth 2.0 support
  • Multi-factor authentication (MFA) available for all accounts
  • Session management with automatic timeout and secure token storage
  • Role-based access control (RBAC) for team features

Infrastructure Security

  • Hosted on Vercel's global edge network with built-in DDoS protection
  • Cloudflare CDN for additional security and performance
  • Automated backups every 24 hours with point-in-time recovery
  • Container isolation for worker processes handling document processing
  • Rate limiting and IP-based throttling to prevent abuse

Application Security

  • Input validation and sanitization to prevent injection attacks
  • Content Security Policy (CSP) headers to prevent XSS
  • CSRF protection on all state-changing operations
  • Secure file upload validation (type, size, malware scanning)
  • Regular dependency updates and vulnerability patching

Compliance & Certifications

Privacy Regulations

  • GDPR (EU): Full compliance with General Data Protection Regulation
  • CCPA (California): California Consumer Privacy Act compliance
  • FERPA (Education): Family Educational Rights and Privacy Act considerations for educational institutions
  • COPPA: Children's Online Privacy Protection Act compliance for users under 13

Industry Standards

  • SOC 2 Type II audit in progress (expected Q2 2026)
  • OWASP Top 10 security best practices implemented
  • ISO 27001 information security management framework
  • PCI DSS compliance through Stripe for payment processing

Third-Party Security

We only work with security-certified vendors:

  • Clerk: SOC 2 Type II certified authentication
  • Stripe: PCI Level 1 certified payment processing
  • MongoDB Atlas: SOC 2, ISO 27001, HIPAA compliant
  • Cloudflare: ISO 27001, SOC 2, PCI DSS certified
  • Vercel: SOC 2 Type II, ISO 27001 certified

Data Handling & Privacy

What We Collect

  • Account information (name, email) via Clerk
  • Documents and content you upload
  • Usage analytics and feature interaction data
  • Payment information (processed and stored by Stripe only)

What We DON'T Do

  • We never train AI models on your private documents
  • We never sell your data to third parties
  • We never share your content with other users
  • We never use your data for advertising

Data Retention & Deletion

  • Active accounts: Data retained while account is active
  • Deleted accounts: Personal data and uploads deleted within 30 days
  • Backups: Securely overwritten within 90 days
  • Billing records: Retained for 7 years for tax compliance

You can request data deletion at any time from your account settings or by contactinghello@xaltrax.com.

Incident Response

In the unlikely event of a security incident, we have a comprehensive response plan:

  • Detection: 24/7 automated monitoring and alerting
  • Response: Immediate containment and investigation
  • Notification: Affected users notified within 72 hours per GDPR requirements
  • Resolution: Root cause analysis and preventive measures
  • Transparency: Public disclosure if appropriate

Report security vulnerabilities to security@xaltrax.com. We appreciate responsible disclosure and will respond promptly.

Questions About Security?

We're transparent about our security practices. If you have questions or concerns, we're here to help.