Security
Last Updated: March 30, 2026
NovoQuantNexus is built for researchers who need to trust that their molecular data stays private and their computational results stay secure. This page describes the technical measures we maintain to protect your data across the NovoMCP cloud platform, the NovoWorkbench desktop application, and all connected services.
Both Novo (ai.novomcp.com) and Novo Compute (compute.novomcp.com) operate within the same Azure security boundary with identical encryption, authentication, and audit controls.
1. Zero Research Data Retention
NovoMCP processes molecular queries in real time and does not retain your research data.
What we do NOT store: SMILES strings, molecular structures, search queries, tool parameters, tool results, docking poses, conformer ensembles, QM calculation outputs, AI conversations, or any intermediate computational data.
What we store: Account information, API key metadata (hashed), usage records (tool name, timestamp, credit cost), and pipeline audit records.
Query content is processed in memory and discarded after the response is returned to you. This applies to all 62 MCP tools across all compute services, including property prediction (pKa, solubility, BDE), quantum chemistry (xTB, CREST), neural network potentials (ANI-2x, MACE), molecular docking, molecular dynamics, and ADMET screening. We never log, store, or train on your molecular data.
2. NovoWorkbench Desktop Security
Local-First Architecture
NovoWorkbench runs core computational features entirely on your machine using bundled RDKit and a Python sidecar process. Workspace files, molecular data, session history, and computation results are stored locally and are never uploaded to NovoQuantNexus servers.
The application is signed and notarized for macOS (Apple Team ID: 8N9K9B7Y69).
Cloud-Connected Features
When you explicitly invoke cloud features, only the minimum data required for the request is transmitted — typically a SMILES string or search query. All communication uses TLS 1.2+ encryption. API keys are stored in the macOS Keychain, not in plaintext files or application storage.
AI Chat Providers
AI provider API keys are stored locally on your device and sent only to the provider you configure (Anthropic, OpenAI, Azure, or others). NovoQuantNexus does not intercept, proxy, or have access to your AI conversations. When using Ollama or other local models, no data leaves your machine.
3. Cloud Infrastructure Security
| Layer | Protection |
|---|---|
| Encryption in transit | TLS 1.2+ on all endpoints |
| Encryption at rest | AES-256 for all databases and storage |
| API key storage | SHA-256 hashed — plaintext keys are shown once at creation and never stored |
| Secrets management | Azure Key Vault for all service credentials and connector tokens |
| Authentication | Azure AD + Entra ID for administrative access |
| Network architecture | Internal service isolation; compute services (novomcp-properties, novomcp-qm, novomcp-nnp, autodock-gpu, gromacs-md) are not publicly exposed |
| Hosting region | Microsoft Azure, East US |
| Payment processing | Stripe (PCI DSS Level 1 compliant) |
Compute Service Isolation
All computational chemistry services run as isolated Azure Container Apps with internal-only ingress. They are contacted exclusively by the MCP gateway service (quanta-mcp) over internal network routes. No compute service accepts external traffic directly.
Each computation runs in an isolated scratch directory that is cleaned up after completion, preventing data leakage between concurrent requests from different users.
4. Authentication and Access Control
API Key Authentication
Every API request is authenticated with an API key (prefixed nmcp_). Keys are generated with cryptographically secure random bytes and stored as SHA-256 hashes only. Plaintext keys cannot be retrieved after creation.
Rate Limiting
| Tier | Daily Request Limit |
|---|---|
| Free Trial | 100 |
| Core | 1,000 |
| Scale | 10,000 |
| Enterprise | Custom |
Rate limiting is enforced at the gateway level via Azure Redis Cache.
Administrative Access
Admin operations require Azure AD authentication with multi-factor authentication (MFA) enforced. All administrative actions are audit-logged. Access follows the principle of least privilege — no single administrator has unrestricted access to all systems.
5. Audit Logging
All tool invocations are recorded with: organization ID, user ID, tool name, credit cost, timestamp, and execution status. Audit logs do not contain query content, molecular data, or computation results.
Enterprise tier users with data connector pipelines maintain additional audit records for regulatory compliance, including 21 CFR Part 11 traceability. Pipeline audit records capture operation type, source/destination system, row counts, and timestamps — but not the molecular data itself.
Audit logs are available for export in CSV format for GxP documentation requirements.
6. Data Connector Security
Scale and Enterprise tier users may connect the Service to external data systems (Snowflake, Databricks, BigQuery, Supabase).
| Measure | Implementation |
|---|---|
| Authentication | OAuth 2.0 with PKCE |
| Credential storage | Azure Key Vault |
| Token management | Automatic rotation |
| Data handling | Results streamed, not cached or persisted |
| Row limits | Enforced per tier (max 10,000 rows per operation) |
| Audit | All connector operations logged |
NovoQuantNexus acts as a pass-through processor for connected data. We do not cache, index, or retain data pulled from your systems beyond the duration of the active computation.
7. Data Retention
| Data Type | Retention |
|---|---|
| Account information | Until account deletion |
| API key metadata | Until revocation + 30 days |
| Usage and billing records | 90 days |
| Pipeline audit records | Until account deletion |
| Error logs | 30 days |
| Payment records | As required by applicable tax and financial regulations |
| Query content and results | Not retained — processed in memory only |
Upon account deletion, API keys are revoked immediately, account information is deleted within 30 days, and usage records are deleted within 90 days.
8. GDPR and International Data
NovoMCP is hosted in Microsoft Azure, East US region. For users in the EU/EEA, Switzerland, and the United Kingdom, we process data under legitimate interest and provide the following rights under GDPR: access, rectification, erasure, portability, restriction of processing, and objection.
To exercise any of these rights, contact privacy@novoquantnexus.com.
Enterprise customers may request a Data Processing Agreement (DPA) that includes European Commission-approved standard contractual clauses for international data transfers.
9. Third-Party Services
The following third-party services are used in the operation of NovoMCP:
| Service | Purpose | Receives Molecular Data? |
|---|---|---|
| Microsoft Azure | Cloud infrastructure, compute, database | No — molecular data processed in memory only |
| Azure SQL Database | Account metadata, usage records | No |
| Azure Redis Cache | Rate limiting, session management | No |
| Azure Key Vault | Secrets and credential management | No |
| Azure Blob Storage | Model checkpoints, training data (NovoQuantNexus-owned) | No user data stored |
| Stripe | Payment processing | No |
| Resend | Transactional email | No |
No third-party service receives molecular data, research content, or computation results. We do not use third-party analytics, advertising, or behavioral tracking services.
10. Incident Response
In the event of a security incident:
- Notification. We will notify affected users within 72 hours of becoming aware of the incident.
- Regulatory reporting. We will report to relevant authorities as required by applicable law.
- Containment. Immediate steps to contain and remediate the incident, including isolation of affected systems.
- Credential reissuance. If credential exposure is suspected, affected API keys will be revoked and users will be prompted to generate new keys.
- Post-incident report. A summary of the incident, its scope, root cause, and remediation steps will be published to affected users.
11. Compliance Status
| Certification / Standard | Status |
|---|---|
| TLS 1.2+ encryption in transit | Active |
| AES-256 encryption at rest | Active |
| Audit logging (tool invocations, admin actions) | Active |
| GDPR compliance | Active |
| macOS code signing and notarization | Active (Team ID: 8N9K9B7Y69) |
| SOC 2 Type I | Planned |
| SOC 2 Type II | Planned |
| Penetration testing | Planned |
| HIPAA BAA | Available on request (Enterprise) |
We do not claim SOC 2 Type II certification. When referencing our security posture, we describe our current controls (signed and notarized application, local-first architecture, zero research data retention, encryption in transit and at rest) rather than certifications not yet completed.
12. Responsible Disclosure
If you discover a security vulnerability in NovoMCP or NovoWorkbench, please report it to security@novoquantnexus.com. We ask that you provide us with reasonable time to investigate and address the issue before public disclosure. We will acknowledge receipt within 48 hours and provide an initial assessment within 5 business days.
13. Contact
Security: security@novoquantnexus.com
Privacy: privacy@novoquantnexus.com
General: ari@novoquantnexus.com
Website: novoquantnexus.com