Log in
Get Started

HomeLegal CenterSECURITY PRACTICES

SECURITY PRACTICES

NYGMA.AI

Last Updated: March 18, 2025

This Security Practices document describes the measures Genie9 LTD (“Genie9”, “we”, “us”, or “our”), a company registered in England and Wales with company registration number 08669198, implements to protect your data and ensure the security of the Nygma.ai service (“Service”).

Security is at the core of Nygma.ai’s design. Our zero-knowledge encryption architecture ensures that your data remains private and secure, even from us. This document explains our security practices in detail to help you understand how we protect your information.

1. ZERO-KNOWLEDGE ENCRYPTION ARCHITECTURE

1.1 Client-Side Encryption

  • All encryption and decryption processes occur locally on your device
  • Your data is encrypted before it leaves your device and is transmitted to our servers
  • We never receive or store unencrypted data or encryption keys

1.2 Encryption Standards

  • AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode) for standard encryption
  • ChaCha20-Poly1305 for performance-optimized encryption
  • PBKDF2 with 100,000 iterations for key derivation
  • 256-bit keys for all cryptographic operations

1.3 Key Management

  • Encryption keys are generated on your device
  • Master key is derived from your password using PBKDF2
  • Content and metadata keys are randomly generated and encrypted with your master key
  • All keys are stored exclusively on your device during active use
  • Keys are cleared from memory when you lock your drive or close your session

1.4 Technical Verification

  • Our cryptographic implementations are based on widely reviewed standards
  • We use established cryptographic libraries and the Web Crypto API
  • Our code is regularly reviewed for security vulnerabilities
  • Independent security audits are conducted periodically

2. DATA PROTECTION MEASURES

2.1 Data in Transit

  • All data transmitted between your device and our servers is encrypted using TLS 1.3
  • Perfect Forward Secrecy is employed for all connections
  • Strong cipher suites are enforced for all TLS connections
  • HSTS (HTTP Strict Transport Security) is implemented to prevent downgrade attacks

2.2 Data at Rest

  • All user content is stored in encrypted form
  • Even filenames and metadata are encrypted
  • Server-side access to data is limited to encrypted blobs
  • Data is stored in Amazon S3 with server-side encryption for additional protection

2.3 Metadata Protection

  • File names, sizes, creation dates, and other metadata are encrypted
  • Folder structures and relationships are encrypted
  • No plaintext indexing of user content or metadata
  • Search functionality operates client-side on decrypted data

2.4 Access Controls

  • Administrative access to systems is strictly controlled and audited
  • Multi-factor authentication is required for all internal systems
  • Least privilege principle is enforced for all access
  • Regular access reviews are conducted

3. ADVANCED SECURITY FEATURES

3.1 Two-Factor Authentication

  • Optional two-factor authentication for account access
  • Support for TOTP (Time-based One-Time Password) authenticator apps
  • Recovery options that maintain security

3.2 Duress Mode

  • Alternative password that displays decoy content
  • Maintains plausible deniability in coercion scenarios
  • Server cannot distinguish between normal and duress access

3.3 Time Bomb

  • Automatic data wiping after configured inactivity period
  • Prevents data exposure from forgotten unlocked drives
  • Configurable timeouts from months to years

3.4 Login Monitoring

  • Suspicious login detection
  • Notification of new device logins
  • Login history tracking and reporting
  • Geographic anomaly detection

4. INFRASTRUCTURE SECURITY

4.1 Cloud Infrastructure

  • Hosted on Amazon Web Services (AWS)
  • Multiple availability zones for redundancy
  • Regular security patching and updates
  • Network segmentation and access controls

4.2 Network Security

  • DDoS protection
  • Web Application Firewall (WAF)
  • IP-based access controls for administrative functions
  • Regular network penetration testing

4.3 Monitoring and Logging

  • 24/7 infrastructure monitoring
  • Anomaly detection systems
  • Centralized logging with retention policies
  • Automated alerting for security events

4.4 Physical Security

  • AWS data centers with SOC 2 compliance
  • Strict physical access controls
  • Environmental safeguards
  • Redundant power and networking

5. APPLICATION SECURITY

5.1 Secure Development Practices

  • Security review in all stages of development
  • Regular security training for development team
  • Code reviews with security focus
  • Automated security scanning in CI/CD pipeline

5.2 Vulnerability Management

  • Regular security assessments and penetration testing
  • Bug bounty program for responsible disclosure
  • Prompt patching of identified vulnerabilities
  • Dependency scanning and management

5.3 API Security

  • Authentication required for all API calls
  • Rate limiting to prevent abuse
  • Input validation and sanitization
  • Output encoding to prevent injection attacks

5.4 Frontend Security

  • Content Security Policy (CSP) implementation
  • Cross-Site Scripting (XSS) protections
  • Cross-Site Request Forgery (CSRF) protections
  • Secure cookie settings

6. OPERATIONAL SECURITY

6.1 Security Team

  • Dedicated security personnel
  • Regular security training for all staff
  • Background checks for employees
  • Clear security responsibilities and procedures

6.2 Access Management

  • Role-based access controls
  • Just-in-time privileged access
  • Regular access reviews and rotations
  • Automated deprovisioning for departing employees

6.3 Third-Party Risk Management

  • Security assessment of all vendors
  • Contractual security requirements
  • Regular review of vendor security practices
  • Limitation of vendor access to systems and data

6.4 Documentation and Policies

  • Comprehensive security policies
  • Regular policy reviews and updates
  • Security awareness training
  • Incident response procedures

7. INCIDENT RESPONSE

7.1 Incident Response Plan

  • Documented incident response procedures
  • Defined roles and responsibilities
  • Regular incident response drills
  • Established communication channels

7.2 Detection and Analysis

  • Systems for early detection of security incidents
  • Forensic analysis capabilities
  • Threat intelligence integration
  • Regular review of security events

7.3 Containment and Eradication

  • Rapid response procedures to limit impact
  • Isolation protocols for affected systems
  • Procedures for removing threats
  • Post-incident verification

7.4 Notification Process

  • User notification procedures for relevant incidents
  • Compliance with legal notification requirements
  • Transparent communication about incidents
  • Post-incident reporting

8. COMPLIANCE AND CERTIFICATIONS

8.1 Regulatory Compliance

  • GDPR compliance for EU users
  • CCPA compliance for California residents
  • PIPEDA compliance for Canadian users
  • Compliance with UK data protection laws

8.2 Security Assessments

  • Regular independent security assessments
  • Vulnerability scanning and penetration testing
  • Code security reviews
  • Architecture security reviews

8.3 Future Certifications

  • We are working toward obtaining industry-standard certifications
  • Regular internal audits against security frameworks
  • Continuous improvement of security practices

9. USER SECURITY RESPONSIBILITIES

9.1 Password Security

  • Creating strong, unique passwords
  • Safeguarding your password and recovery key
  • Not sharing account credentials
  • Using two-factor authentication when available

9.2 Device Security

  • Keeping your devices secure and updated
  • Using device encryption when available
  • Locking devices when not in use
  • Using anti-virus and anti-malware protection

9.3 Recovery Key Protection

  • Storing your recovery key securely offline
  • Not sharing your recovery key with others
  • Creating backup copies of your recovery key
  • Testing your recovery key periodically

9.4 Secure Sharing Practices

  • Being cautious about who you share files with
  • Using secure channels for sharing sensitive links
  • Implementing expiration dates for shared links
  • Revoking access when no longer needed

10. SECURITY LIMITATIONS

10.1 Zero-Knowledge Implications

  • We cannot recover your data if you lose your password and recovery key
  • We cannot scan your files for malware
  • We cannot detect illegal content
  • We cannot implement server-side search functionality

10.2 Security Feature Limitations

  • Duress Mode and Time Bomb features are provided as-is without guarantees of effectiveness in all scenarios
  • Legal requirements in some jurisdictions may limit the effectiveness of certain security features
  • Advanced security features require proper configuration by users

10.3 Client-Side Security

  • The security of your data depends partly on the security of your devices
  • Malware on your device could potentially compromise your encryption keys
  • Browser vulnerabilities could potentially affect the security of the web application

11. SECURITY UPDATES AND COMMUNICATIONS

11.1 Security Bulletins

  • We publish security bulletins for significant security updates
  • Security advisories are issued for vulnerabilities with user impact
  • Clear guidance is provided for any required user actions

11.2 Continuous Improvement

  • Regular reviews of security practices
  • Updates to security measures based on evolving threats
  • Incorporation of user feedback on security features

11.3 Transparency

  • Clear communication about our security practices
  • Disclosure of security incidents in accordance with legal requirements
  • Regular updates on security enhancements

12. REPORTING SECURITY ISSUES

12.1 Vulnerability Reporting

  • If you discover a security vulnerability, please report it to security@genie9.com
  • We follow responsible disclosure practices
  • We address security vulnerabilities promptly

12.2 Security Questions

  • For questions about our security practices, contact security@genie9.com
  • For general security inquiries, contact support@genie9.com

13. LIMITATION OF LIABILITY

13.1 Security Guarantee Limitations. While we implement reasonable security measures, we cannot guarantee absolute security. IN NO EVENT SHALL GENIE9’S TOTAL LIABILITY TO YOU FOR ANY SECURITY-RELATED CLAIMS EXCEED ONE HUNDRED U.S. DOLLARS ($100.00), REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT, OR OTHERWISE.

14. CHANGES TO THIS DOCUMENT

14.1 Document Updates. We may update this Security Practices document from time to time to reflect changes in our security practices. We will notify users of significant changes.

14.2 Current Version. The current version of this document is always available at nygma.ai/security-practices.

15. CONTACT INFORMATION

For security-related inquiries, please contact:

Genie9 LTD
 3 Shortlands
 W68DA, London
 United Kingdom
 Email: security@genie9.com

END OF SECURITY PRACTICES DOCUMENT