NuMoon / Security & Trust

Read-only by default · OAuth-scoped · audit-logged forever

NuMoon literally cannot
move money without you.

Every connection ships read-only. Write scope is requested per-move, granted by your approve, and revoked the moment the action ships. Every action is logged forever and reversible inside 30 minutes.

See how it works Request SOC 2 docs

Compliance & trustGDPRCCPASOC 2 Type ISOC 2 Type II · Q3 2026HIPAA · BAA on requestISO 27001 · Q4 2026

The permission model, end to end.

What NuMoon receives, what it does with it, and how long it keeps the keys.

What NuMoon receives

RStripe · read-only · charges + refunds

RQuickBooks · read-only · journal entries

RPlaid · read-only · bank transactions

RMeta Ads · read-only · spend + reporting

RKlaviyo · read-only · flow stats

○No write tokens stored at rest

→

What it does when you approve

WRequest write scope · time-boxed

✓Ship single action · log the SHA-256

WRevoke write scope · immediate

✓Write audit-log entry · forever

✓Start 30-min reversal countdown

✓14-day rollback window opens

Three guarantees you can verify.

No engineering trust required. Every claim below is enforced in code and auditable in your tenant’s log.

Default

Read-only by default

Every OAuth connection requests read scope only. NuMoon literally cannot move money, change ad budgets, or send emails until you approve a specific action. Token scopes are inspected on every load.

Per-action

Write scope is just-in-time

When you tap approve, the brain requests write scope from the relevant tool for that one action only. The token is held in memory, never persisted. The moment the action ships, the token is revoked. This is the only architecture that can be both useful and safe.

Reversible

30-minute reversal · 14-day rollback

Every shipped action starts a 30-minute timer. Tap "undo" inside that window and the brain ships the reverse action — no engineer needed. After 30 minutes, a 14-day rollback covers anything that becomes regrettable later.

Isolated

Per-tenant isolation on AWS

Your brand sits inside its own isolated tenant on AWS — separate database schema, separate KMS encryption key, separate audit log. No NuMoon engineer can query your data without a time-limited approval logged in your trail.

Forever

Full audit log · exportable

Every read, every approve, every revoke, every reverse — written to your audit log with a cryptographic chain. Export at any time as CSV, JSON, or signed PDF. Operator plans retain for 90 days, Studio retains forever.

Encrypted

AES-256 at rest, TLS 1.3 in flight

Every byte of customer data is encrypted at rest with a per-tenant KMS key. All connections to NuMoon use TLS 1.3 with HSTS enforced. We rotate tenant keys every 90 days; rotation is logged and verifiable.

What “reversible in 30 minutes” actually means.

A timeline of one shipped move, from approve to safe.

T + 0s · approve tapped

Operator approves "Pause Meta camp #4"

NuMoon requests write scope from Meta. Token returned in ~120ms. SHA-256 of the action is recorded with operator UID and IP in the audit log.

T + 0.4s · action ships

Meta Marketing API · campaign paused

Single API call, idempotent. Response logged. Write token immediately revoked. The brain enters "watch" mode for the next 30 minutes.

T + 5m · health check

Brain confirms downstream effects

Pulls fresh data from Stripe, Klaviyo, GA4. If anything drifts outside the brand's risk envelope, an undo is queued automatically — operator notified.

T + 0–30m · reversal window

Operator can undo with one tap

The "undo" button is live for exactly 30 minutes. Tap it and the brain ships the reverse action — for our paused campaign, an unpause — with a fresh write-scope request and a fresh revoke.

T + 30m · auto-promote

Action promoted to "shipped · stable"

The 14-day rollback window opens. Action persists in audit log forever. Operator gets a one-line confirmation in the daily briefing.

T + 14d · audit closed

Move fully retired

Action remains in the audit log forever. The reasoning trail (why the brain proposed it, what it predicted, what actually happened) is exportable as a signed PDF — useful for board reviews and CPA hand-offs.

Infrastructure & data residency.

Where your data lives, who can see it, and how long it sticks around.

US-east primary · EU optional

Operator brands land in us-east-1 by default. Studio plans can elect eu-west-1 for GDPR data residency at no extra cost.

Bring-your-own-key (BYOK)

Enterprise plans can supply their own AWS KMS key. NuMoon’s tenant rotates against your key. Revoke the key in your AWS account at any time — NuMoon loses access immediately.

90-day retention by default

Raw cached connector data is purged on a 90-day rolling window. Aggregate metrics (the numbers powering the brain’s models) are anonymized and retained per tenant. Delete-tenant ships within 24 hours of request.

No training on customer data

The brain is fine-tuned on synthetic data + a small public-domain corpus. We never train any model — base or fine-tuned — on customer data. Period. This is enforced at the network layer.

⚠

Find a security flaw and we’ll pay you for it. Critical: $5k. High: $2k. Medium: $500.We commit to triage inside 24 hours, every time.

security@numoon.ai · PGP key on request

Trust verified · scan free

Connect with confidence.

Start with read-only. See the findings. Decide whether to grant write scope, move by move. NuMoon can’t touch your accounts until you say so.

Run a free scan →Request our SOC 2 letter

NuMoon literally cannotmove money without you.