How Nerve handles your data, the controls in place, and how to report a vulnerability.
Nerve runs on Vercel in the United States. All persistent state lives in Upstash Redis (US region) under per-user namespaced keys (user:{userId}:*). There is no shared global state for user content; cross-tenant access is not architecturally possible at the storage layer.
Authentication is handled by Clerk. Nerve never stores passwords. OAuth refresh tokens for connected services (Google, Slack, Microsoft) are stored encrypted at rest in Upstash and accessed only by per-user agents.
Nerve is designed to store the minimum viable state to operate. Specifically:
Production access is limited to the founder (Patrick Hillstrom) using individually-attributed credentials with MFA. There are no shared accounts. Audit logs from Vercel, Upstash, and Clerk are retained per each provider's policy.
Admin tools that surface user data are gated by an explicit ADMIN_USER_IDS allowlist plus Clerk session verification. There is no "view as another user" capability for non-admins.
Nerve (NerveLabs Inc.) is not yet SOC 2 certified. Our infrastructure providers (Clerk, Upstash, Vercel, Anthropic, AWS Bedrock, Stripe) are. We are early-stage and prioritize security hygiene over certification theater for now; certification is on the roadmap as we grow.
Every Redis read and write goes through a userKey(userId, suffix) helper that enforces a per-user namespace. A write-guard library refuses any write whose key is not user-scoped, with a small allowlist for genuinely shared infrastructure state (waitlist, public stats). This guard exists specifically to prevent cross-tenant leaks; an internal incident on 2026-04-22 motivated this hardening.
Connected-service scopes are listed in our Privacy Policy. Several are write-capable (Gmail send, Calendar events) so that, when you approve a drafted action, Nerve can execute it. Nerve never executes a write without an explicit user approval of that specific action, every send, every label, every calendar create requires you to click through.
If you find a security issue, please email security@getnerve.ai (forwards to the founder). Please do not file a public GitHub issue or post on social before we have had a chance to fix it.
We commit to acknowledging your report within 48 hours and providing a status update within 7 days. We do not currently have a paid bug bounty, but we will publicly credit researchers who report responsibly (with your permission).
In the event of a confirmed breach affecting your data, we will notify affected users within 72 hours per GDPR and applicable state breach notification laws, including the nature of the breach, the data affected, the steps we are taking, and recommended actions for you.
You can request full deletion of your account and data at any time from your account settings or by emailing patrick@getnerve.ai. Personal data is removed within 30 days of request. OAuth tokens are revoked at deletion time so we can no longer access your connected accounts.
2026-05-04. Material changes will be reflected here and announced on the changelog when applicable.