Security & Data Privacy FAQ
The questions enterprise security, RevOps and legal teams ask before NoQ5 connects to Salesforce, HubSpot or Pipedrive. Answered directly, in plain language, with the controls and contractual terms that back each answer.
- EU-hosted in Frankfurt, AES-256-GCM at rest, TLS 1.3 in transit
- Zero-retention LLM: prompts and completions are not retained or used for training
- Row-level tenant isolation enforced in the database, not just the application
- OAuth tokens encrypted with per-tenant data keys, wrapped by a KMS key
- GDPR Article 28 DPA and EU SCCs published and signed at contract start
- Immutable audit trail on every CRM write, retained 13 months
Data isolation and tenant separation
Every customer runs as a logically isolated tenant with a unique tenant identifier enforced at the database row level via row-level security policies. CRM records, transcripts, embeddings and OAuth tokens are tagged with the tenant ID on write and filtered on every read, so a compromised application path cannot return another tenant's data.
AI model training and conversation data
Customer CRM records, call transcripts, emails and meeting content are never used to train, fine-tune or improve any third-party or NoQ5 model. The LLM provider runs under a zero-retention configuration: prompts and completions are not retained beyond the request and are not used for training.
GDPR, DPA and EU data residency
NoQ5 acts as a data processor under GDPR. A GDPR Article 28 Data Processing Agreement and EU Standard Contractual Clauses are signed at contract start. Customer data is stored in the EU (Frankfurt), backups remain in the EU, and any sub-processor processing data outside the EEA is bound by EU SCCs and listed on the Subprocessors page.
Encryption, access control and audit trail
Data is encrypted in transit with TLS 1.3 and at rest with AES-256-GCM. Production access is restricted to a named on-call rotation with hardware-key MFA and is logged. Every CRM write, approval and admin action is recorded in an immutable audit log retained for at least thirteen months.
Frequently asked questions
Is my CRM or conversation data used to train AI models?
No. Customer CRM records, call transcripts, emails and meeting content are never used to train, fine-tune or improve any third-party or NoQ5 model. The LLM provider is contractually under a zero-retention configuration.
How is one customer's data isolated from another?
Every customer is provisioned as a logically isolated tenant. Row-level security policies enforce tenant separation in the database itself, so application bugs cannot leak data across tenants.
Where is customer data physically stored?
In the European Union (Frankfurt). Backups remain inside the EU. Any sub-processor processing data outside the EEA is bound by EU SCCs and is listed publicly on the Subprocessors page.
Is NoQ5 GDPR compliant, and is a DPA available?
Yes. NoQ5 acts as a GDPR processor. A Data Processing Agreement aligned with Article 28, including EU SCCs, is published at /dpa and signed at contract start.
How are Salesforce, HubSpot and Pipedrive OAuth tokens protected?
OAuth tokens are encrypted at rest with AES-256-GCM using organization-specific data keys, themselves wrapped by a KMS key. The application database never holds plaintext credentials. Tokens are revoked the moment a customer disconnects the integration.
Is NoQ5 ISO 27001 or SOC 2 certified?
ISO 27001 is in progress. NoQ5 operates against the ISO 27001 control set, publishes its security posture and sub-processor footprint, and is targeting SOC 2 Type II next.
What is your breach notification commitment?
In line with GDPR Article 33, NoQ5 notifies the customer of any confirmed personal-data breach without undue delay and within 72 hours of confirmation.
Home ·
Pricing ·
Integrations ·
Security ·
Privacy ·
Terms ·
DPA
GDPR-compliant · EU-hosted · Built in Ireland · noq5.ai