Privacy & data boundaries
Nova Code is designed so that your data stays on your infrastructure. This page explains what is stored locally and what reaches external services.
What stays on your server
Section titled “What stays on your server”Database (PostgreSQL)
Section titled “Database (PostgreSQL)”All application data is stored in your PostgreSQL instance:
- User accounts and hashed credentials
- Workspace metadata and configuration
- Session content and chat history
- Automation definitions and run history
- Push notification subscriptions
- Role templates
Filesystem
Section titled “Filesystem”- Workspace files — your project code, managed through the file browser and Git interface.
- Rule files — workspace-specific instructions for agents.
- Agent credentials — authentication tokens stored under the config volume.
- SSH keys — the server-generated keypair for Git operations.
- VAPID keys — for web push notifications.
- MCP configuration — registered MCP server definitions.
Secrets
Section titled “Secrets”API keys, agent tokens, and the JWT secret should be provided via environment variables or secure configuration volumes. Never commit them to version control.
What reaches external services
Section titled “What reaches external services”Model providers
Section titled “Model providers”When you run a session, Nova Code spawns the agent CLI (Cursor, Claude, or Mistral Vibe) as a child process. These CLIs contact their respective vendor APIs to process prompts. Nova Code does not intercept, proxy, or store model API traffic — the agents communicate directly with:
- Cursor — Cursor’s servers (see Cursor’s privacy policy)
- Claude Code — Anthropic’s API (see Anthropic’s privacy policy)
- Mistral Vibe — Mistral’s API (see Mistral’s terms)
Review each provider’s documentation for details on how they handle your code and prompts.
This website
Section titled “This website”The Nova Code documentation site includes Vercel Web Analytics and Vercel Speed Insights when deployed to Vercel. These are privacy-focused analytics that do not use cookies or track individual users. On other hosting platforms, these scripts are inert.
The self-hosted Nova Code application itself does not include any analytics or tracking.
Network considerations
Section titled “Network considerations”- The REST API is intended for trusted networks or should be placed behind authentication at the edge.
- JWTs are bearer tokens — treat them as secrets and transmit only over HTTPS in production.
- There is no separate API key mechanism; all API access uses the same JWT as the dashboard.
Security contact
Section titled “Security contact”For security issues, follow the process in the repository’s SECURITY.md if present, or open a private issue on GitHub.
Related
Section titled “Related”- Settings — agent authentication and configuration
- Installation — secure setup guidance
- FAQ — common security and operational questions