Notexs
Security

Security at Notexs

The safest design choice is not collecting data in the first place. Notexs is local-first: your notes live on your machine, not ours. This page describes how we protect the data that does pass through our systems.

Last updated: March 23, 2026

Local-first architecture

The most secure data is data we never have. Notexs stores your notes as plain .md files on your own machine. Cloud sync is an explicit opt-in feature — not the default.

No upload by default
Local documents never leave your device. Only documents you explicitly sync are transmitted.
Your files, your format
Notes are standard Markdown. You can read, edit, and move them with any tool, independent of Notexs.
Full offline operation
The entire editing experience — all local documents — works with zero network access.

Encryption

When cloud sync is enabled, your data is protected at every stage:

In transit

TLS 1.3 for all connections. Older protocol versions are not accepted.

At rest

AES-256 for all data stored on our infrastructure, managed by Supabase on AWS.

Auth tokens

Short-lived JWTs signed with RS256. Refresh tokens rotate on every use and are invalidated on sign-out.

Passwords

Never stored in plain text. Hashed with bcrypt plus a per-user salt, managed entirely by Supabase Auth.

Authentication & account security

Email + password
Standard authentication with strong password requirements enforced at sign-up.
Session management
Sessions are invalidated immediately on sign-out. All active sessions can be reviewed and revoked from account settings.
Rate limiting
Login attempts and password-reset requests are rate-limited to prevent brute-force and credential-stuffing attacks.
Secure token storage
Auth state in the desktop app is stored in the OS keychain, not in plain localStorage.

Infrastructure & data storage

Cloud infrastructure is provided by independently audited providers:

SupabaseDatabase, authentication, and file storage. Hosted on AWS (us-east-1). Supabase holds SOC 2 Type II certification. Row-Level Security policies ensure users can only access their own data — enforced at the database level, not just the application layer.
StripeAll payment processing. PCI DSS Level 1 certified. No card data passes through our servers or is stored in our database.
AWSUnderlying cloud provider for Supabase. ISO 27001 certified. SOC 2 compliant data centres with physical security controls.

Data isolation

We use PostgreSQL Row-Level Security (RLS) to enforce data isolation at the database layer. This means:

  • Even if an application bug bypassed authorisation checks, the database would still reject cross-user data access
  • Each user's synced documents, settings, and profile are scoped by user ID at the storage level
  • Administrative queries require separate privileged credentials, not available to the application at runtime

Payment security

Payment security is delegated entirely to Stripe — card data never reaches or is stored by Notexs:

  • Card details are entered in a Stripe-hosted UI (Stripe Elements) — your browser sends them directly to Stripe, not our servers
  • We store only a Stripe Customer ID and your subscription or purchase status
  • Stripe Webhooks use signed payloads — we verify every event signature before processing
  • Lifetime purchases use Stripe's one-time payment mode; no recurring billing data is retained after the transaction

Incident response

In the event of a confirmed security incident affecting user data:

Containment
Affected systems are isolated immediately on confirmation.
User notification
Affected users are notified by email within 72 hours of discovery, as required by GDPR Articles 33–34.
Regulatory notification
Relevant supervisory authorities are notified within 72 hours where required by applicable law.
Post-mortem
A public post-mortem is published for incidents affecting user data, detailing what happened, what was affected, and what steps prevent recurrence.

Responsible disclosure

If you discover a security vulnerability, please disclose it responsibly. We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to investigate (typically 90 days). We acknowledge every report and keep you informed of progress.

We do not currently operate a formal bug-bounty programme, but we recognise researchers publicly for valid reports and evaluate case-by-case rewards for significant findings.

Report a vulnerability

Security reports are handled directly by the team. Please include a clear description, steps to reproduce, and potential impact.

Email: support@notexs.com

Response time: within 48 hours