NoData Security &
Compliance Whitepaper
How NoData implements security and compliance controls directly at the data layer
Blind RelayArchitectureCryptographyAccess ControlAuditSOC 2SOC 1KMSImpact
NoData is a data exposure control platform designed to reduce security risks and accelerate compliance by controlling how data is accessed, rather than only securing how it is stored or transmitted.
The platform enforces security and compliance controls directly at the data layer through encryption, access policies, and automated audit mechanisms.
▸Reduce data exposure risks
▸Accelerate SOC 2 — scan, encrypt, proof chain ready for audit
▸Eliminate reliance on multiple security tools
▸Gain full visibility into data access
02
Core Principle: Data Exposure Control
Traditional security models focus on securing storage, securing transmission, and monitoring activity. NoData introduces a different model:
Control what data is exposed - before it is ever delivered
▸Policy-based access control
▸Field-level data filtering
▸Secure delivery mechanisms
3.1 ZERO-KNOWLEDGE
▸Server cannot read user data
▸Encryption keys controlled by client
▸No plaintext sensitive data stored
3.2 DATA FLOW
1.Data is classified
2.Access policies applied
3.Data is encrypted
4.Only permitted data delivered
03.5
Blind Relay Architecture
No SDK. No code leaves. Everything is API calls to a blind relay.
The server processes encryption and decryption without storing the data — not the content and not the keys. Keys are generated per-session and never permanently stored. Even if the server is breached — there is nothing to find.
Two deployment modes:
▸NoData Cloud — managed blind relay. Data flows through but is never stored.
▸NoDataSafe — isolated instance running in YOUR cloud. Same code, same architecture, zero dependency on us.
Only 4 endpoints:
▸POST /encrypt — Encrypt field (blind relay — nothing stored)
▸POST /decrypt — Authorized decrypt (nothing stored)
▸POST /deliver — Secure delivery (burn, TTL, max views)
▸GET /evidence — Audit trail export (metadata only, zero content)
Encryption
AES-256-GCM
Data encryption
Key Exchange
RSA-4096 (OAEP)
Secure key sharing
Key Derivation
PBKDF2-SHA256 (310K)
Protect private keys
Hashing
SHA-256
Integrity verification
All cryptographic operations rely on standardized implementations (W3C Web Crypto API).
05
Data Protection Mechanisms
▸Encryption at rest, in transit, and at field level
▸Automatic data expiration (TTL)
▸Forward secrecy (keys destroyed after use)
▸Zero retention for ephemeral data
06
Access Control & Policy Engine
▸Role-Based Access Control (RBAC)
▸Field-level permissions (allow / deny)
▸Deny-overrides-allow logic
▸Purpose-based access tracking
No direct access to raw database data is permitted.
▸Immutable audit logs (proof-hash based)
▸Real-time anomaly detection
▸Automated compliance evidence generation
▸Daily compliance snapshots
KEY IMPLEMENTATIONS
▸CC6 - RBAC + field-level enforcement
▸CC7 - Anomaly detection + logs
▸CC5 - Encryption + policy enforcement
▸CC8 - Key rotation tracking
▸CC9 - Automated scoring and alerts
▸Logical access controls
▸Segregation of duties
▸Audit logs for all actions
▸Change tracking and approvals
▸Secure session management
10
Infrastructure & Security Layers
Database Security
▸Row Level Security (RLS) across all tables
▸No direct data manipulation
▸Controlled function access
API Security
▸Rate limiting (multi-tier)
▸Token-based authentication
▸CORS enforcement
Admin Security
▸Strong password hashing (bcrypt)
▸OTP-based authentication
▸Login audit logs
11
Key Management System (KMS)
▸RSA-4096 keys per organization
▸Encrypted private keys
▸Key rotation and versioning
▸Key escrow for recovery
▸Re-encryption workflows
📉Reduce compliance costs by up to 50%
🔄Replace multiple security tools
🛡Minimize insider risk
⚡Shorten audit preparation time