Your data, your reviews, your brand voice. Yours.

We use industry standard security measures designed to protect customer data, including encryption in transit and access controls. Our security program is continuously reviewed and improved. Here is what we do, what we do not do, and who to contact if something goes wrong.

What we never do

How we protect your data

• Encryption in transit: Connections to Nira use modern TLS to encrypt data on the wire.
• Storage protections: Customer data is stored on managed infrastructure with encryption protections applied by our hosting provider.
• Secrets management: Production secrets (API keys, database credentials, payment tokens) are stored in a managed secrets vault and rotated on a regular schedule and on any team change.
• Environment separation: Production, staging, and development environments are kept separate, and production data is not used in nonproduction environments.
• Audit logs: Meaningful account actions (review approvals, settings changes, billing events, account access) are logged with timestamps and user identifiers for review.
• Least privilege access: Internal access to customer data is limited to a small number of engineers and protected by multi factor authentication.

Infrastructure

• Cloud provider: Nira runs on enterprise grade cloud infrastructure with redundant availability zones. Database backups are encrypted and tested regularly.
• Payment processing: All billing is handled by a PCI DSS Level 1 certified payment processor. Card numbers never touch Nira's servers.
• Identity: Login uses industry standard authentication. Optional single sign on (SSO) and multi factor authentication (MFA) are available for organizations on Scale.
• DDoS and abuse protection: Edge filtering and rate limiting on all public endpoints.

Compliance posture

We are building our security program using widely accepted best practices. We are not currently certified under SOC 2, ISO 27001, or HIPAA. The points below describe how we approach common compliance frameworks today.

• SOC 2 readiness: SOC 2 readiness practices (access controls, change management, monitoring, vendor review) are part of our internal roadmap. We will publish updates as our program matures.
• GDPR / UK GDPR: We honor data subject access, correction, export, and deletion requests for users in the EU, EEA, and UK within the regulatory timeline.
• CCPA / CPRA: We honor the same rights for California residents. We do not sell or share personal information as those terms are defined under the CCPA.
• HIPAA: Nira is not HIPAA compliant and is not designed to receive Protected Health Information. If you are a covered entity, do not submit PHI through Nira.

Incident response

If we discover a security incident affecting your data, we will:

• Notify you within 72 hours of confirming the incident, in accordance with regulatory requirements and our internal policy.
• Investigate the root cause and document findings.
• Remediate the vulnerability and verify that the fix prevents recurrence.
• Publish a blameless postmortem for major incidents and share it with affected customers directly.

Reporting a vulnerability

Data subject rights

You can request a copy of your data, correction of inaccurate data, or deletion of your data at any time. Email privacy@niralabs.ai with your request. We respond within 30 days for standard requests, faster for urgent ones.

What stays in the account, what leaves

• Stays: Your reviews, brand voice samples, draft replies, ranking history and tracked keywords, dashboard data, billing history.
• Leaves only when you publish: Approved reply text gets posted to the third party platform you authorized (Google, Yelp, etc.) under your account.
• Leaves to support functionality: Anonymized aggregate metrics for our own service performance monitoring (latency, error rates). No customer identifiable data.
• Never leaves: Anything else.