Security & Data Privacy

nunq is designed for enterprise environments where data protection and access control are critical.

Authentication

All users authenticate through Microsoft Entra ID (formerly Azure Active Directory) using Single Sign-On (SSO). There are no local passwords stored in nunq. Your existing corporate identity is used to log in, and sessions can be revoked centrally at any time.

Authorization and Access Control

nunq uses role-based access control with two primary roles:

User — Can create chats, use assistants, manage personal projects, and access models made available by the organization.
Organization Admin — Has all user capabilities plus the ability to manage organization settings, configure models, create shared assistants and knowledge sources, view analytics, and manage users.

Resources such as assistants, knowledge sources, and prompt templates can be scoped as personal (visible only to the creator) or shared across the organization.

Encryption

In transit. All communication between your devices and nunq is encrypted. This applies to the web application, the desktop app, and all connections to AI model providers.

At rest. All data stored in the database is encrypted at rest.

Sensitive values. Secrets such as AI provider credentials receive an additional layer of encryption before being stored, providing defense in depth.

Secrets Management

Organization secrets, including credentials for AI model providers, are stored in a dedicated secrets management service with hardware-backed key storage, access auditing, and centralized rotation capabilities.

Network Security

Private networking. The nunq backend, database, and supporting services are deployed within isolated private networks, shielded from public internet traffic.

Internal connections. Communication between internal services uses private channels, ensuring that data never traverses the public internet.

Access restrictions. The backend enforces strict policies on which applications and domains can communicate with it.

Multi-Tenant Data Isolation

Each organization's data is logically isolated. All data queries are scoped to the requesting user's organization. Users in one organization cannot view, modify, or access data belonging to another organization.

Session Management

User sessions are tracked and can be managed by both users and administrators. Sessions can be revoked individually or in bulk, forcing re-authentication. Session tokens have configurable expiration periods.

Security & Data Privacy ​

Authentication ​

Authorization and Access Control ​

Encryption ​

Secrets Management ​

Network Security ​

Multi-Tenant Data Isolation ​

Session Management ​