Skip to content

Threat Model

Last updated: April 7, 2026

Most products publish a privacy policy. We publish a threat model. This document describes what data NOMARK handles, what could be inferred from it, and what the attack surface looks like if our systems are compromised.

Data Collected by Tier

  • Local: Nothing leaves your device. The ledger is a JSONL file on disk. No network calls.
  • Free: Email address + signal entries (preferences, corrections, meaning maps). Stored in Supabase PostgreSQL with RLS.
  • Pro: Everything in Free + archive sync data (compressed ledger snapshots for cross-device access).
  • Team: Everything in Pro + shared baselines and scoped overrides per team member.

What Can Be Inferred from a Preference Ledger

A preference ledger is not conversation text. It is structured metadata about your communication style and work patterns. However, even structured metadata can reveal information:

  • Communication style: tone preferences (direct vs. diplomatic), format preferences (bullets vs. prose), length preferences
  • Personality traits: correction patterns may reveal decisiveness, attention to detail, communication priorities
  • Professional context: scoped overrides reveal that you write differently for investors vs. engineers vs. customers
  • Cognitive patterns: meaning maps show how you categorize corrections — what you repeatedly correct reveals what you value
  • Tool adoption: import records show which AI platforms you use and how heavily

Attack Surface if Database is Breached

If an attacker gains read access to the Supabase database:

  • They would see email addresses and signal entries
  • They would NOT see conversation text (never stored)
  • They could infer communication style and work patterns from signal data
  • Team data would reveal organizational structure and communication norms

Mitigation: RLS policies isolate user data. Each user can only access their own records. Team data is scoped to team membership. No cross-tenant data access is possible through the application layer.

Encryption

  • In transit: All connections use TLS 1.3. No plaintext transport.
  • At rest: Supabase PostgreSQL uses AES-256 encryption at rest.
  • What's plaintext: Signal entries are stored as JSONB in PostgreSQL — queryable but encrypted at the storage layer.

Sync Protocol

What crosses the wire during sync:

  • Compressed signal entries only (~2KB JSONL per user)
  • No conversation text — ever
  • No raw platform exports — imports are processed locally, only extracted signals are synced
  • Sync uses Supabase Realtime over WebSocket with JWT authentication

Data Portability

Export your complete preference ledger as JSONL at any time. The export includes all signal entries, meaning maps, and metadata. The format is documented and machine-readable. Your data is portable — take it to another system, build your own tools on top of it, or delete it entirely.

Account Deletion

Account deletion is atomic. When you delete your account:

  • All signal entries are permanently deleted
  • All import records are permanently deleted
  • All archive snapshots are permanently deleted
  • Your auth record is removed from Supabase Auth
  • You receive a deletion receipt with a timestamp proving the operation completed

This is hard deletion, not soft-delete. There is no recovery period. If you want to keep your data, export it before deleting your account.

Responsible Disclosure

If you discover a security vulnerability, please report it to security@nomark.ai. We will acknowledge receipt within 48 hours and provide a timeline for resolution. We do not pursue legal action against good-faith security researchers.