Skip to content
NovaCode NovaCode

Privacy & data boundaries

On your infrastructure

Section titled “On your infrastructure”
  • PostgreSQL holds users, workspaces metadata, sessions content, automations, tokens (hashed), push subscription endpoints, etc.—as implemented in the application schema.
  • Filesystem holds workspace files, rule files, and build artifacts you create.
  • Secrets (API keys, agent tokens) should be provided via environment variables or secure configuration volumes—never commit them to Git.

Model providers (Cursor / Claude)

Section titled “Model providers (Cursor / Claude)”

NovaCode orchestrates your installed agent CLIs. When a session runs, those CLIs may contact vendor APIs according to their terms. NovaCode’s server does not need to replace that relationship; review Cursor and Anthropic documentation for data handling.

This website

Section titled “This website”

The site includes Vercel Web Analytics and Vercel Speed Insights via @vercel/analytics and @vercel/speed-insights when you deploy to Vercel (enable Analytics and Speed Insights in the Vercel project). On other hosts these scripts are inert or should be removed if you prefer zero third-party scripts. Document any other embeds or trackers here for your users.

API exposure

Section titled “API exposure”

The REST API is intended to be reachable only to trusted networks or behind authentication at the edge. Treat JWTs and API tokens as bearer secrets.

Contact

Section titled “Contact”

For security issues, follow the process in your GitHub repository’s SECURITY.md if present.