Security Overview
Last Updated: March 07, 2026
We protect your data
All data are written to multiple disks instantly, backed up daily, and stored in multiple locations. Files that our customers upload are stored on servers that use modern techniques to remove bottlenecks and points of failure.
Your data are sent using HTTPS
Whenever your data are in transit between you and us, everything is encrypted using TLS 1.3, and sent using HTTPS. Within our firewalled private networks, data may be transferred unencrypted.
Our application databases are generally not encrypted at rest — the information you add to the applications is active in our databases and subject to the same protection and monitoring as the rest of our systems. Our database backups are encrypted using Google default encryption at rest.
How we encrypt and store configuration secrets
Configuration secrets you provide—such as API keys, tokens, and credentials—receive the highest level of protection using envelope encryption:
Unique key per secret: Each secret is encrypted with its own randomly generated Data Encryption Key (DEK) using AES-256-GCM, a modern authenticated encryption standard.
Key protection with Cloud KMS: The DEK is then encrypted by a Key Encryption Key (KEK) stored in a secure key storage service. This means your plaintext secrets never touch persistent storage—only the encrypted ciphertext is stored.
Cryptographic binding: Each encrypted secret is cryptographically bound to your workspace and configuration. This prevents secrets from being moved or copied between contexts, even by database administrators.
Decryption only when needed: Secrets remain encrypted at rest. They are only decrypted in memory at the moment your automation needs them, and are never written to logs or persistent storage in plaintext form.
Automatic key rotation: The encryption keys in secure KMS are automatically rotated on a regular schedule. Previously encrypted data remains accessible—KMS seamlessly uses the appropriate key version for decryption.
How long we retain your data
We retain different types of data for different periods based on their purpose:
| Data Type | Retention Period | Notes |
|---|---|---|
| Workflow execution logs | 90 days | Logs from your automation runs |
| Execution outputs | 30 days | Results and outputs from completed runs |
| Application logs | 30 days | System debugging and monitoring data |
| Audit logs | 400 days | Security and compliance records |
| OAuth tokens | Until disconnected or 90 days | Third-party service connections |
| Configuration secrets | Until you delete them | Encrypted API keys and credentials |
| Workspace content | Until workspace deletion | Your workflows, notebooks, and processes |
| Account data | Until account deletion | Your profile and account information |
| Billing transactions | 7 years | Required for tax compliance |
When you delete content, it becomes immediately inaccessible. Deleted data is purged from our active systems within 30 days and from all backups within 90 days.
Infrastructure security
- Cloud provider: Google Cloud Platform (GCP) with SOC 2, ISO 27001, and other certifications
- Data residency: Primary infrastructure in the United States
- Access control: Workspace-based isolation with role-based access
Payment security
We never store your payment card information. All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. We only retain a record of the transaction and the last four digits of your card number for billing support purposes.
Vulnerability Disclosure
Neudash is dedicated to preserving data security. We welcome security researchers to responsibly disclose vulnerabilities they discover.
Guidelines
We request that you:
- Notify us as soon as possible after discovering a real or potential security issue.
- Provide us a reasonable amount of time (minimum 90 days) to resolve the issue before publicly disclosing it.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only use exploits to the extent necessary to confirm a vulnerability's presence. Do not use an exploit to compromise or obtain data, establish persistent access, or pivot to other systems.
- Once you've established that a vulnerability exists or encounter any sensitive data, stop your test, notify us immediately, and keep the data strictly confidential.
Scope
This policy applies to:
- neudash.com — marketing website and web application
- api.neudash.com — REST API
Any service not explicitly listed above is out of scope. Vulnerabilities in third-party integrations (Google Cloud, Firebase, Stripe, etc.) should be reported directly to those vendors.
Prohibited testing
- Network denial of service (DoS or DDoS) tests
- Physical testing, social engineering (e.g., phishing, vishing), or any other non-technical vulnerability testing
- Automated scanning that generates excessive traffic or load
- Testing against other users' accounts without their explicit consent
Reporting
To report a vulnerability, email security@neudash.com. We will acknowledge receipt within three business days. Reports can be submitted anonymously.
Please include: vulnerability description, affected system/endpoint, potential impact, and steps to reproduce (with scripts and screenshots if possible).
Bug Bounty
Neudash does not currently operate a bug bounty program and is unable to offer financial rewards for vulnerability reports. We genuinely appreciate responsible disclosures and will acknowledge contributors who help improve our security. If we launch a formal bounty program in the future, we will update this page.
Authorization
Security research carried out in conformity with this policy is deemed permissible. We will work with you to understand and fix the problem, and Neudash will not pursue legal action in connection with your research.
Want to know more? Have a concern?
Please get in touch at security@neudash.com.