Security
Security Overview
Last updated: July 6, 2026
This document describes how Nudgy protects the documents and account data you entrust to it. It is written for the person doing the security review — the IT lead, the CISO, the vendor-risk analyst — and it favors specifics over reassurance: concrete architecture, named providers, and exact access scopes.
It reflects the current, shipped product. Deeper artifacts — architecture diagrams, our subprocessors' own SOC 2 / ISO reports, signed DPAs, and completed security questionnaires (SIG, CAIQ, or your own) — are available under NDA. Email contact@nudgy.ca to request them.
1. What Nudgy is, in security terms
Nudgy is a cloud-hosted service that cross-references construction drawing revisions against a project specification and returns cited findings. In data terms, you connect two kinds of document — a specification PDF and drawing PDFs — and Nudgy produces a third artifact: a permanent, citation-backed audit record. Everything below is about how those documents move, where they rest, who can reach them, and what leaves our control.
The service runs entirely in managed cloud infrastructure. There is no Nudgy agent installed on a workstation, no browser extension, and no dependency on any individual's machine — a running audit does not touch, and cannot be interrupted by, an employee's laptop.
2. Architecture at a glance
Nudgy is composed of a small number of managed services, each with a single job. None of them holds your documents outside the boundaries described here.
- Application (Vercel). Serves the web app and the API your browser talks to. It holds request traffic and session data, not your document stores.
- Database, file storage, and authentication (Supabase). A managed PostgreSQL database (with the pgvector extension for the spec index), private file storage for your PDFs, and the identity provider for sign-in.
- Document-processing workers (Railway). Isolated workers that extract schedule tables from drawings and run the audit. They read a file from storage, process it, and discard their working copy.
- Job queue (Railway Redis). Coordinates audit jobs between the app and the workers. It carries job references, not document contents.
- AI providers (Anthropic and Voyage AI).Anthropic's Claude models perform the audit reasoning; Voyage AI produces the embeddings used to retrieve relevant spec sections. Both are used under commercial API terms — see section 9.
- Email (Resend). Sends transactional and authentication email only (sign-in, password reset). It never receives your documents.
- Microsoft Graph (optional). If you choose to add files from Microsoft 365, a read-only Graph connection fetches only the files you pick — see section 4.
The authoritative, living list of these providers, the data each handles, and where it processes that data is maintained on our Subprocessors page.
3. The document lifecycle
Following a single document from arrival to rest is the clearest way to understand the security model.
- Add. A project owner uploads a PDF, or picks one from OneDrive/SharePoint through the read-only Microsoft 365 picker. In either case the file is written directly to a private storage bucket scoped to your organization.
- Index (spec only). A worker reads the specification, splits it by CSI section, generates embeddings, and stores the indexed text in the database against your organization. The spec is indexed once and reused by every audit on that project.
- Audit (drawings). When a drawing revision is added, a worker downloads a transient working copy, extracts the schedule tables, retrieves the relevant spec sections, and submits that text to the audit model. The working copy on the worker is deleted as soon as the job finishes.
- Report. The findings — each with a severity, an explanation, and a citation to the exact spec clause — are written to the database and shown in the app.
- Retain.The specification, the drawing, and the findings are kept in your organization's private storage as the audit trail. This retention is deliberate: in a liability-exposed industry, a finding is only defensible if you can later prove exactly which document version was checked. See section 10 for deletion.
4. Microsoft 365 access
Connecting Microsoft 365 is optional; you can also upload PDFs directly. If you do connect it, the access is deliberately minimal.
Read-only, and only what you pick
Nudgy requests a single content scope — Files.Read.All — alongside the standard sign-in scopes needed to identify you. It reads only the specific files a project owner selects in the picker. There is no code path in Nudgy that writes, moves, renames, or deletes a file in your tenant, and no scope that would permit it.
No stored credentials, no long-lived server token
Authentication uses Microsoft's OAuth flow. Nudgy never sees or stores your Microsoft password. The access token lives only in your browser session and expires on Microsoft's schedule (typically within about a day); nothing is persisted on our servers. Your administrator can revoke Nudgy's access at any time from the Microsoft 365 admin center, in a single action.
What Nudgy does not do
Nudgy does not watch folders, subscribe to change notifications, or send Teams or email notifications from your tenant — it reads a file only when a user selects it. Any optional capability that changed this would require additional scopes and a server-side token, and this document, our Privacy Policy, and our subprocessor list would be updated before it took effect.
5. What we store, and what we do not
Data we store
- Specification and drawing PDFs you add to a project.
- The indexed spec text and its embeddings, used for retrieval.
- Findings, severities, citations, and the audit record for each run.
- Account and organization data: name, work email, organization membership, and authentication records.
- Standard operational metadata: request logs, timestamps, and job status.
Data we do not store
- Your Microsoft password or any long-lived Microsoft credential.
- Files you did not explicitly select or upload — Nudgy never scans your wider drive or tenant.
- Payment card numbers. Any future billing is handled by a PCI-compliant payment processor; card data does not touch Nudgy's systems.
- Your documents inside any AI provider for training — see section 9.
6. Encryption
Data is encrypted in transit and at rest using current industry standards, inherited from our infrastructure providers.
- In transit. All traffic — browser to app, app to database, worker to AI provider — travels over TLS (HTTPS). Nudgy does not expose any plaintext endpoint.
- At rest.Documents in storage and records in the database are encrypted at rest by the provider (AES-256), with keys managed by the provider's key-management service.
- Secrets.API keys and service credentials are held in the deploy platforms' encrypted secret stores and injected as environment variables at runtime. They are never committed to source control.
7. Tenant isolation and access control
Nudgy is multi-tenant, and keeping one customer's data invisible to every other customer is a first-order design constraint, not an add-on.
- Every stored record — spec text, findings, audit runs, files — carries the owning organization identifier, and further a project identifier. A given team sees its projects and nothing else.
- Isolation is enforced on everyread and write by the application's authorization layer, which scopes each query to the authenticated organization before any data is returned.
- File storage buckets are private. Documents are never publicly reachable; access is granted only through short-lived, signed URLs issued to an authorized session.
8. Authentication and accounts
Sign-in is handled by our managed identity provider (Supabase Auth) over email-based authentication. Sessions are cookie-based and expire; signing out invalidates the session. Access to a project's data requires membership in the owning organization, and platform-operator views (such as cost and usage) are gated separately so that they are never exposed to a customer's own administrators.
Where you connect Microsoft 365, that is a separate, read-only OAuth authorization layered on top of your Nudgy account, as described in section 4.
9. AI processing and your data
This is the section most reviewers care about, so it is the most explicit.
Who sees what
To run an audit, Nudgy submits the relevant specification text and the extracted schedule text to Anthropic (the Claude models, for the audit reasoning) and specification text to Voyage AI (for the embeddings that power retrieval). Only the text needed for the task is sent; the models return findings and vectors respectively.
Not used for training
Both providers are engaged under their commercial API terms. Under those terms, the content Nudgy submits is not used to train their models. Providers may retain content transiently to return a result and, in limited cases, for a short abuse-monitoring window defined by their terms; it is not incorporated into model training. We link to each provider's current terms from our Subprocessors page so you can verify this against the source.
Findings are grounded, and are not a substitute for review
Findings cite the specific spec clause they rest on, and the app displays the retrieved source text so you can check the citation against the document itself rather than trusting a paraphrase. Even so, Nudgy is an assistive tool: its findings are a second pass, not a stamped professional certification, and are not a substitute for review by a qualified professional. This is stated in our Terms of Service and it is a deliberate part of the security and liability posture, not a disclaimer of convenience.
10. Data retention and deletion
Documents and findings are retained as the project's audit trail for as long as your account is active, because the value of the record is that it persists. You remain in control of it:
- You can request deletion of a specific document, project, or your entire organization's data by emailing us; we will action it and confirm.
- On account termination, we delete or return your Customer Content in accordance with the Data Processing Agreement.
- Where a document is replaced (for example, a spec addendum), the prior version is preserved as an immutable earlier version rather than overwritten — so the trail of what was audited against what remains intact.
If you have a legal-hold or defined-retention requirement of your own, tell us during onboarding and we will align to it.
11. Data residency and international transfers
Nudgy's primary data store — your documents, the spec index, and audit records — runs in the United States, in Supabase's AWS US East region (Northern Virginia). The document-processing workers and the AI providers also operate in the United States, and the application is delivered over a global edge network. Files you keep in Microsoft 365 remain in your own tenant's region and are read from there. Because some processing occurs outside your country of residence, cross-border transfers of personal data are governed by the safeguards in our Privacy Policy and DPA, including the Standard Contractual Clauses where applicable. If you have a specific data-residency requirement, raise it with us — we can tell you exactly where your project's data would sit and discuss options.
12. Backups and continuity
The managed database is backed up automatically by the provider, and file storage is redundantly held. We rely on these providers' durability and recovery guarantees — which we are happy to share — and can align to specific recovery-time and recovery-point (RTO/RPO) commitments where an engagement requires them.
13. Secure development and change management
- Production is deployed to managed cloud infrastructure (Vercel and Railway), independent of any developer's machine.
- Secrets are stored in the deploy platforms' encrypted secret managers, never in code or in the repository.
- Database schema changes are applied as versioned, ordered migrations, so the production schema is reproducible from source.
- We upgrade underlying libraries deliberately, exercising the full pipeline before release, rather than blindly.
14. Vulnerability management and testing
We have conducted an internal security review of the multi-tenant boundaries and data-access paths, and we can arrange a deeper third-party review under NDA where an engagement requires it. If you believe you have found a security issue, please report it to contact@nudgy.ca — we take responsible disclosure seriously and will acknowledge promptly.
15. Logging, monitoring, and the audit trail
Every audit is recorded append-only: which drawing revision was checked, which spec version it was checked against, every finding with its severity and citation, and who ran it and when. That record is immutable after the fact — it is the product's core promise, and it doubles as a security-relevant, tamper-evident history of activity on your data. Operational logs (request and job metadata) are retained for troubleshooting and monitoring.
16. Incident response and breach notification
If we become aware of a personal-data breach affecting your Customer Content, we will notify you without undue delay in accordance with our Data Processing Agreement, with the information you need to meet your own obligations, and we will work with you on containment and remediation. Our security contact for all matters is contact@nudgy.ca.
17. Personnel and operational security
Access to production systems is limited to the people who operate them, on a least-privilege basis, through the infrastructure providers' own consoles and authentication, and is removed when it is no longer needed. We do not sell customer data, and we do not use it for any purpose other than providing the Service to you.
18. Subprocessors
Nudgy relies on the subprocessors listed on our Subprocessors page, each engaged under contract with data-protection and confidentiality obligations no less protective than those we owe you. We update that page, and its date, before a new subprocessor begins processing personal data, and you can subscribe to be notified of changes.
19. Compliance and certifications
Nudgy itself is not SOC 2 or ISO 27001 certified. It runs on infrastructure that is — Vercel, Supabase, Microsoft, and Anthropic all maintain SOC 2 and/or ISO 27001 programs — and we can provide those providers' attestation reports for your file. If your procurement requires Nudgy's own certification, tell us and we will talk through what you need.
We operate under Canadian privacy law (PIPEDA), with Manitoba, Canada as the governing jurisdiction, and we offer a Data Processing Agreement that addresses GDPR-style obligations, including the Standard Contractual Clauses for international transfers, for customers who need one.
20. Business continuity and vendor risk
Reasonable questions about what happens when something goes wrong upstream:
If a subprocessor has an outage
An outage at a processing or AI provider pauses new audits; it does not expose or lose your stored documents, which remain in encrypted storage. Audits resume when the provider recovers, and a stuck job is swept to a failed state rather than left hanging, so nothing runs indefinitely.
If a subprocessor has a breach
Our exposure is limited by data minimization — the AI providers receive only the text needed for a task and retain it only transiently, and email never carries documents. If a subprocessor notified us of a breach affecting your data, we would treat it under our incident-response process in section 16.
If Nudgy is acquired or winds down
Your Customer Content remains yours. In an acquisition, the Privacy Policy travels with the data and any material change is notified. In a wind-down, you would be given the opportunity to retrieve your documents and audit records before deletion. You are never locked in: the source documents are your own PDFs, and we can provide your audit records on request.
21. Detailed questions — including the ones rarely asked
Do you train any AI model on our specifications or drawings?
No. The AI providers are used under commercial API terms that exclude your content from model training, and Nudgy itself does not train models on your documents. Your content is used to produce your audits — nothing else.
Can a Nudgy employee read our specifications?
Access to production data is restricted to the operators who run the system, on a least-privilege basis and under confidentiality obligations, for purposes such as support and troubleshooting. We do not browse customer documents, and we do not use them for anything other than delivering the Service to you.
What actually happens to the temporary copy a worker downloads?
The processing worker writes the file to a temporary location, extracts what it needs, and deletes that working copy when the job finishes — including if the job fails. The retained copy of the document lives only in your organization's private storage bucket, as the audit trail.
Could another customer ever see our data through a shared model or index?
No. The spec index is stored per organization and retrieval is scoped to your organization's data on every query. The AI models are stateless between requests — they do not carry one customer's content into another customer's audit.
What if the audit cites a spec clause that does not exist, or misreads one?
Findings display the retrieved source text and the exact section reference so a false or mismatched citation is visible on inspection rather than hidden. This is why Nudgy is positioned as a second pass for a qualified reviewer, not an unattended authority. If a drawing page cannot be read reliably — a scanned or image-only sheet — Nudgy flags it on the report rather than silently skipping it.
Do you store our Microsoft or Google password?
No. Microsoft 365 uses OAuth; we never receive your password, only a short-lived, read-only access token held in your browser session. Nudgy does not integrate with Google Workspace for file access.
Can we get a copy of our data, or delete all of it?
Yes to both. You can request a copy of your documents and audit records, and you can request deletion of a document, a project, or your entire organization. Email us and we will action and confirm it.
What happens if you receive a government or legal request for our data?
We would evaluate any such request against applicable law, and, unless legally prohibited, notify you so you can respond or object. We do not volunteer customer data.
Is your encryption going to hold up over time?
We use current industry-standard TLS in transit and AES-256 at rest, provided and maintained by our infrastructure providers, and we inherit their upgrades as standards advance. We do not roll our own cryptography.
Do you have SOC 2 or ISO 27001?
Nudgy itself is not SOC 2 or ISO 27001 certified. It runs on infrastructure that is (Vercel, Supabase, Microsoft, Anthropic), and we can share those providers' reports. If your procurement requires Nudgy's own certification, tell us and we will talk through what you need.
What is your uptime or availability guarantee?
Nudgy does not currently offer a contractual uptime SLA. The application runs on high-availability managed infrastructure; any service-level terms for a specific engagement would be set out in your written agreement.
Who do we contact for a security questionnaire or a deeper review?
Email contact@nudgy.ca. We will complete your questionnaire (SIG, CAIQ, or your own format), provide our subprocessors' attestation reports, and walk your team through the architecture under NDA.

