Security at Notexs
The safest design choice is not collecting data in the first place. Notexs is local-first: your notes live on your machine, not ours. This page describes how we protect the data that does pass through our systems.
Last updated: March 23, 2026
Local-first architecture
The most secure data is data we never have. Notexs stores your notes as plain .md files on your own machine. Cloud sync is an explicit opt-in feature — not the default.
- No upload by default
- Local documents never leave your device. Only documents you explicitly sync are transmitted.
- Your files, your format
- Notes are standard Markdown. You can read, edit, and move them with any tool, independent of Notexs.
- Full offline operation
- The entire editing experience — all local documents — works with zero network access.
Encryption
When cloud sync is enabled, your data is protected at every stage:
In transit
TLS 1.3 for all connections. Older protocol versions are not accepted.
At rest
AES-256 for all data stored on our infrastructure, managed by Supabase on AWS.
Auth tokens
Short-lived JWTs signed with RS256. Refresh tokens rotate on every use and are invalidated on sign-out.
Passwords
Never stored in plain text. Hashed with bcrypt plus a per-user salt, managed entirely by Supabase Auth.
Authentication & account security
- Email + password
- Standard authentication with strong password requirements enforced at sign-up.
- Session management
- Sessions are invalidated immediately on sign-out. All active sessions can be reviewed and revoked from account settings.
- Rate limiting
- Login attempts and password-reset requests are rate-limited to prevent brute-force and credential-stuffing attacks.
- Secure token storage
- Auth state in the desktop app is stored in the OS keychain, not in plain localStorage.
Infrastructure & data storage
Cloud infrastructure is provided by independently audited providers:
Data isolation
We use PostgreSQL Row-Level Security (RLS) to enforce data isolation at the database layer. This means:
- —Even if an application bug bypassed authorisation checks, the database would still reject cross-user data access
- —Each user's synced documents, settings, and profile are scoped by user ID at the storage level
- —Administrative queries require separate privileged credentials, not available to the application at runtime
Payment security
Payment security is delegated entirely to Stripe — card data never reaches or is stored by Notexs:
- —Card details are entered in a Stripe-hosted UI (Stripe Elements) — your browser sends them directly to Stripe, not our servers
- —We store only a Stripe Customer ID and your subscription or purchase status
- —Stripe Webhooks use signed payloads — we verify every event signature before processing
- —Lifetime purchases use Stripe's one-time payment mode; no recurring billing data is retained after the transaction
Incident response
In the event of a confirmed security incident affecting user data:
- Containment
- Affected systems are isolated immediately on confirmation.
- User notification
- Affected users are notified by email within 72 hours of discovery, as required by GDPR Articles 33–34.
- Regulatory notification
- Relevant supervisory authorities are notified within 72 hours where required by applicable law.
- Post-mortem
- A public post-mortem is published for incidents affecting user data, detailing what happened, what was affected, and what steps prevent recurrence.
Responsible disclosure
If you discover a security vulnerability, please disclose it responsibly. We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to investigate (typically 90 days). We acknowledge every report and keep you informed of progress.
We do not currently operate a formal bug-bounty programme, but we recognise researchers publicly for valid reports and evaluate case-by-case rewards for significant findings.
Report a vulnerability
Security reports are handled directly by the team. Please include a clear description, steps to reproduce, and potential impact.
Email: support@notexs.com
Response time: within 48 hours
