Security at NexaLink
Your card and your contacts are yours. Here's exactly how we protect them — from the database all the way up to the AI assistants you connect.
Your data is yours
Ownership and control come first. We don't sell your data, and we never train AI models on it.
Your contacts are yours
Your card and every contact you capture belong to you. We don't sell your data, and we never train AI models on it.
Export anytime
Download your contacts and interaction history whenever you want (Pro plans and above) — no lock-in.
Delete means deleted
Delete your account and all associated data is permanently removed within 30 days.
Minimal collection
We collect only what's needed to run your card and personal CRM — nothing more.
How we protect your data
Layered, defense-in-depth controls — each one enforced in our infrastructure and code.
Encryption in transit (TLS)
Every connection to NexaLink is served over HTTPS with modern TLS and HSTS (2-year max-age, preload-listed), so traffic between your device and our servers can't be read or tampered with.
Encryption at rest (AES-256)
Your data lives in a managed PostgreSQL database that is encrypted at rest with AES-256.
Passwordless authentication
There's no password to steal, phish, or reuse. Sign in with a one-time email code or with Apple, Google, or LinkedIn — all over OAuth 2.1 with PKCE.
Row-Level Security
Isolation is enforced inside the database itself. Every card, contact, and note is bound to its owner, so one account can never read or write another's data.
Least-privilege & secret hygiene
Privileged operations run under a separate service role, secrets are stored write-only, and we deliberately keep tokens and credentials out of our application logs.
Hardened HTTP headers
A strict Content-Security-Policy, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, and a strict referrer policy defend against clickjacking, content injection, and data leakage.
AI connector security
NexaLink connects to AI assistants over the Model Context Protocol so you can manage your card and CRM in natural language. Because that connection can act on your account, we built it to the OAuth 2.1 standard and reviewed it adversarially.
- Acts only as your own account — the connector can never reach another user's card or contacts.
- Built to OAuth 2.1 with mandatory PKCE (S256) — there is no shared client secret to leak.
- Access tokens are short-lived and audience-bound (RFC 8707): a token issued for one resource can't be replayed against another.
- Refresh tokens rotate on every use; reusing an old one automatically revokes the entire session (theft detection).
- Tokens are stored only as SHA-256 hashes, never in plaintext, and the raw token is shown to you exactly once.
- Revoke any connected AI app instantly from Settings → Connected apps.
- The connector's authentication was independently and adversarially security-reviewed before launch.
We never see your card number
All billing is handled by PCI-DSS-compliant processors — Apple, Google Play, and Dodo Payments. Your payment details are entered with the processor and never touch NexaLink's servers.
Compliance & infrastructure
We honor your access, export, and deletion rights under EU, California, and Indian data-protection law.
Built on infrastructure providers (Vercel and Supabase) that maintain SOC 2 Type II attestations.
Row-level security and per-account scoping keep every customer's data separated at the database layer.
Security questions, answered
Does NexaLink sell my data or train AI on it?
No. Your contacts and card data are yours. We do not sell your personal information to third parties, and we do not train AI models on your data. You can export everything (Pro plans and above) or delete your account — which permanently removes your data within 30 days — at any time.
How is my data encrypted?
In transit, every connection uses HTTPS with modern TLS, enforced by HTTP Strict Transport Security (a 2-year policy that is on the browser preload list). At rest, your data sits in a managed PostgreSQL database encrypted with AES-256.
Do you store my password?
No — NexaLink is passwordless. You sign in with a one-time code sent to your email, or with Apple, Google, or LinkedIn single sign-on, all over OAuth 2.1 with PKCE. There is no password for us to store or for an attacker to leak.
I connected NexaLink to an AI assistant. What can it access?
Only your own account, and only the actions you'd take yourself — editing your card, and reading or organizing your own contacts. The connector uses OAuth 2.1: access tokens are short-lived and audience-bound, refresh tokens rotate on every use with automatic theft detection, and tokens are stored only as hashes. You can revoke any connected app instantly from Settings → Connected apps.
Do you ever see or store my card number?
No. Payments are handled entirely by PCI-DSS-compliant processors — Apple, Google Play, and Dodo Payments. Your card details are entered with the processor and never touch NexaLink's servers.
Are you GDPR and SOC 2 compliant?
We honor your data-subject rights under the GDPR, California's CCPA, and India's DPDP Act — including access, export, and deletion. NexaLink runs on infrastructure (Vercel and Supabase) that maintains SOC 2 Type II attestations, and enterprise customers can request security-questionnaire support during onboarding.
How do I report a security vulnerability?
Email security@nexalink.co. We take reports seriously, investigate promptly, and appreciate responsible disclosure.
Report a vulnerability
If you discover a security issue, please report it responsibly. We investigate promptly and appreciate the help keeping NexaLink safe.
Contact our security teamMore on how we handle your data
Read our Privacy Policy for the full detail on what we collect and why, or reach out with specific questions.