Confiance

Sécurité

NurseAndrea stocke des données de télémétrie sensibles. Nous traitons la sécurité comme une responsabilité fondamentale.

Cette page est actuellement disponible en anglais uniquement. Une traduction professionnelle est en cours.

Infrastructure

NurseAndrea runs on Railway (SOC 2 Type II certified). Physical security, automated DDoS protection, and regular third-party audits are provided at the infrastructure level. Production and staging environments are network-isolated. All production secrets are stored in Railway's encrypted environment variable store.

Data encryption

All data in transit is encrypted using TLS 1.3. All data at rest is encrypted using AES-256. Database backups are encrypted before being written to storage.

Authentication and access control

NurseAndrea uses passwordless authentication only — magic links and Google OAuth. There are no password hashes to steal. Session tokens are 256-bit random values stored as httponly secure cookies. Team member access is scoped to the @ago-ai.com domain at the authentication layer. Administrative access to production requires MFA.

Application security

Automated static analysis (Brakeman) runs on every code change. Dependency vulnerability scanning (bundler-audit) runs on every build. All database queries are parameterised. Content Security Policy headers are applied to all responses. Authentication endpoints are rate-limited.

Log data isolation

All telemetry is scoped by account. One account cannot access another's data. API tokens are account-scoped. All database queries are tenant-scoped at the application layer.

Incident response

In the event of a security incident affecting your data: we will notify you within 72 hours (GDPR Art. 33 compliant), provide a summary of what happened and what steps we have taken, and publish a post-mortem within 14 days for any incident affecting production data.

Responsible disclosure

If you discover a vulnerability, email security@nurseandrea.io. Please give us reasonable time to investigate before public disclosure, avoid accessing data belonging to other users, and avoid degrading service availability.

We acknowledge reports within 48 hours. We do not pursue legal action against researchers acting in good faith.

Penetration testing

We conduct penetration testing at least annually by an independent third-party firm. All critical and high-severity findings are remediated before the next test cycle. Summaries are available to Enterprise customers under NDA.

Contact

security@nurseandrea.io Ago AI LLC, London, United Kingdom