Security Practices
Learn about our security measures and compliance standards
We take the security of customer data seriously at Noodlbox. If you have additional questions regarding security, please write to security@noodlbox.io and we will respond as quickly as we can.
Quick Links
- Terms of Service
- Privacy Policy
- Subprocessors
- Data Processing Agreement (DPA): Available on request. Contact security@noodlbox.io
Local-First Architecture
Noodlbox is local-first by design. The CLI runs entirely on your machine — your code never leaves your device during analysis. Cloud features are opt-in and require explicit authentication.
All infrastructure is hosted in the EU. A complete list of third-party service providers is available on our Subprocessors page.
Code Storage
When you opt in to cloud features via noodl push, source code and analysis artifacts are stored on encrypted cloud storage in Western Europe. Code remains stored until you delete the box, the organization, or your account.
Access to stored code is strictly scoped to your organization. Cross-organization access is not possible — not even to confirm whether a resource exists.
We do not use your code for model training, resale, or any purpose beyond providing the Noodlbox service.
Encryption
- In transit: TLS 1.2+ on all connections
- At rest: AES-256 on all storage (databases, object storage, compute ephemeral storage)
- API keys: Hashed before storage — raw keys are shown once at creation and never stored
- CLI credentials: Encrypted at rest, key derived from machine identifier
Access Control
- Authentication: JWT and API key authentication with no external auth gateway
- Organization isolation: All data access is scoped to your organization at the database level
- Device limits: Per-user device tracking with tier-based limits to prevent account sharing
- Role-based access: Organization roles (Owner, Admin, Member) with write operations gated by role
Network Security
- Web Application Firewall on all endpoints
- DDoS protection (unmetered)
- Multi-layer rate limiting (edge, application, and usage-based)
- Security headers on all responses (HSTS, CSP, X-Frame-Options, and others)
Audit Logging
Security-sensitive operations (code uploads, deletions, exports, account changes) are logged to an append-only audit trail with user identity, client IP, and timestamps.
Data Deletion
You can delete your data at any time:
- Delete a box: Removes the box and all associated cloud artifacts
- Delete your account: Self-service via the dashboard or API — removes all account data
- Delete an organization: Removes all boxes and data owned by that organization
Infrastructure
- Non-root container execution
- Minimal base images with latest security patches
- Encrypted ephemeral compute storage
- All compute and storage in the EU
Vulnerability Reporting
If you discover a security vulnerability, please report it responsibly:
- Email: security@noodlbox.io
- Security contact information: /.well-known/security.txt
Compliance
- GDPR compliance (data rights, deletion, DPA on request)
- SOC 2 Type I (planned)
- SOC 2 Type II (planned for enterprise tier)
Contact
For security questions or to request a DPA, contact security@noodlbox.io. We typically respond within 2 business days.