Security
Last Updated: March 12, 2026
1. How Your Data Is Handled
NovoMCP processes molecular queries in real time and does not retain your research data.
What we do NOT store: SMILES strings, search queries, tool parameters/results, AI conversations.
What we store: Account information, API key metadata (hashed), usage records (tool name, timestamp, credit cost), pipeline audit records.
Zero research data retention. Query content is processed in memory and discarded after the response. We never log, store, or train on your molecular data.
2. NovoWorkbench Desktop Security
Local-first architecture. Core features run entirely on your machine using bundled RDKit. Workspace files are never uploaded.
Cloud-connected features. Only the SMILES string or search query is transmitted. All communication uses TLS 1.2+. API keys stored in macOS Keychain.
AI chat providers. Keys are stored locally and sent only to the respective provider. With Ollama, no data leaves your machine.
3. Cloud Infrastructure Security
| Layer | Protection |
|---|---|
| Encryption in transit | TLS 1.2+ on all endpoints |
| Encryption at rest | AES-256 for all databases and storage |
| API key storage | SHA-256 hashed — plaintext keys never stored |
| Secrets management | Azure Key Vault |
| Authentication | Azure AD + Entra ID for admin |
| Network | Service isolation; internal APIs not publicly exposed |
| Hosting region | Microsoft Azure, East US |
| Payment processing | Stripe (PCI DSS Level 1) |
4. Authentication & Access Control
Every request authenticated with an API key. Keys generated with cryptographically secure random bytes, stored as SHA-256 hashes only.
Rate limiting: Free Trial: 100/day, Core: 1,000/day, Team: 10,000/day, Enterprise: Custom.
Admin operations require Azure AD with MFA. All admin actions audit-logged.
5. Audit Logging
All tool invocations recorded with org/user ID, tool name, credit cost, timestamp, and status. Data connector operations maintain additional records for 21 CFR Part 11 compliance. Audit logs do not contain query content or results.
6. Data Connector Security
OAuth 2.0 with PKCE for authentication. Credentials in Azure Key Vault. Automatic token rotation. Row limits per tier. No data caching — results streamed, not persisted.
7. Data Retention
| Data Type | Retention |
|---|---|
| Account information | Until account deletion |
| API key metadata | Until revocation + 30 days |
| Usage/billing records | 90 days |
| Pipeline audit records | Until account deletion |
| Error logs | 30 days |
| Query content & results | Not retained |
8. GDPR & International Data
Hosted in Azure East US. EU/EEA users have rights under GDPR: access, rectification, erasure, portability, restriction, objection. Contact privacy@novoquantnexus.com. Enterprise DPA available on request.
9. Third-Party Services
Microsoft Azure (infrastructure), Azure SQL (metadata), Azure Redis (rate limiting), Stripe (payments), Resend (email). None receive molecular data or research content. No third-party analytics or tracking.
10. Incident Response
We will notify affected users within 72 hours, report to authorities as required, publish a post-incident report, and reissue API keys if credential exposure is suspected.
11. Compliance Roadmap
| Certification | Status |
|---|---|
| TLS 1.2+, AES-256 encryption | Active |
| Audit logging | Active |
| GDPR compliance | Active |
| SOC 2 Type I | Planned |
| SOC 2 Type II | Planned |
| Penetration testing | Planned |
| HIPAA BAA | Available on request (Enterprise) |
12. Contact
Security: security@novoquantnexus.com
Privacy: privacy@novoquantnexus.com
General: ari@novoquantnexus.com