Noemata is built to keep your knowledge graph safe, private, and under your control. Here's exactly how.
This is the most important thing to know.
Noemata uses the Anthropic API (Claude) and OpenAI API (embeddings) to process your content. Both services have clear data usage policies for API customers:
Anthropic: "We do not train our models on inputs and outputs sent through our API."
OpenAI: "Data sent through the API is not used to train or improve our models."
Your brain dumps, notes, and documents are processed via API calls and never retained by AI providers beyond the time needed to generate a response.
Where Your Data Lives
Your knowledge graph lives in a managed Neo4j database. Every query is scoped to your user ID — there is no way to access another user's graph.
Long-form content and documents are stored in Cloudflare R2 with ownership verification. Files are only accessible after proving you own the parent node.
All data is encrypted at rest and in transit (TLS 1.3).
Every database query includes your user ID as a filter. Data isolation is enforced at the query level, not just the application level.
Parameterized queries prevent SQL/Cypher injection. No user input is ever interpolated into database queries.
Authentication
Authentication is handled by Clerk, a SOC 2 Type II certified auth provider. Noemata never stores your password. You can enable two-factor authentication, passkeys, and social login through Clerk.
Every API endpoint requires authentication. There are no public data endpoints.
Session tokens are httpOnly, secure, and SameSite. OAuth flows use CSRF protection.
Infrastructure
Deployed on Vercel edge network with automatic DDoS protection
Rate limiting on all API endpoints (stricter on AI routes)
Input validation with Zod schemas on every request
Security headers: CSP, HSTS, X-Frame-Options, X-Content-Type-Options
What We Don't Do
We do not sell your data. Ever.
We do not share your data with third parties for advertising.
We do not use your content to train AI models.
We do not track you across the web.
We do not store your data longer than necessary.