Security at NOMARK

Architecture

• ✓Local-first processing. The engine runs on your device. Preference resolution happens in-process — no API calls to NOMARK servers.
• ✓Bring Your Own Model. NOMARK is orthogonal to the model. It works with Claude, GPT, Gemini, Llama, or local models. We never see your prompts or outputs.
• ✓Compressed signal sync only. When cloud sync is enabled, only structured preference data (~2KB JSONL) is transmitted. No conversation text. No raw platform exports.
• ✓TLS 1.3 + AES-256. All data encrypted in transit and at rest.

Open Source

The NOMARK Engine is open source under Apache 2.0. You can audit every line of code that processes your preference data. The engine runs locally — you don't have to trust our servers because your data never leaves your machine unless you opt in.

Threat Model

We publish a full threat model — not just a privacy policy. It describes what data we handle, what could be inferred from it, the attack surface if our systems are compromised, and our encryption and sync protocols.

Responsible Disclosure

If you discover a security vulnerability in NOMARK, we want to hear from you. Please report it responsibly:

• Email security@nomark.ai with details
• We will acknowledge receipt within 48 hours
• We will provide a timeline for investigation and resolution
• We do not pursue legal action against good-faith security researchers
• We will credit you in the fix disclosure (if you want)

Compliance

SOC 2 Type II certification is planned but not yet achieved. We are honest about where we are: early-stage, building in public, security-first by architecture rather than by audit trail. Enterprise plans will include SOC 2 reports when available.