SECURITY & PRIVACY
NestAI is built around one core principle: your data never leaves your infrastructure. Here's exactly how that works.
Architecture
When you deploy a NestAI server, we create a dedicated Hetzner cloud server exclusively for your team. Nothing is shared with other customers. Your AI model runs entirely on that server. Your conversations are stored on that server's local database.
| Component | Where it runs | Who can access |
|---|---|---|
| AI model (Ollama) | Your Hetzner server | Only your team |
| Chat interface (Open WebUI) | Your Hetzner server | Only your team |
| Conversation history | Your server's local SQLite DB | Only your team |
| Uploaded documents | Your server's local disk | Only your team |
| Billing & account data | NestAI / Supabase (EU) | NestAI support only |
Data residency
Choose your server region during setup. Your AI data (conversations, documents) never leaves that region:
| Region | Location | Compliance |
|---|---|---|
| EU (default) | Nuremberg, Germany | GDPR |
| Asia Pacific | Singapore | PDPA |
| North America | Ashburn, USA | SOC2 (planned) |
Encryption in transit
All traffic to your AI URL (yourname.nestai.chirai.dev) is encrypted via HTTPS. TLS certificates are issued by Let's Encrypt and auto-renewed every 90 days. Traffic between your server and Open WebUI is internal (localhost) and not exposed publicly.
No OpenAI / third-party API
NestAI uses Ollama to run open-source models locally. There is no connection to OpenAI, Anthropic, Google, or any other AI API. Your prompts and responses are never transmitted to a third party.
Server access controls
Your server runs Open WebUI which has its own user authentication. Recommended hardening steps:
- ◆After your team signs up, disable public registration in Open WebUI → Admin → Settings → General → Default User Role → set to "Pending"
- ◆Use a strong Open WebUI admin password — different from your NestAI password
- ◆Enable two-factor authentication in Open WebUI if available in your version
- ◆Periodically review active users in Open WebUI Admin → Users
Audit logs
Every significant action in NestAI is logged: model installs/removals, document uploads, team changes, server events. Access audit logs from Dashboard → Audit Log. Logs can be exported as CSV for compliance purposes.
GDPR / DPDP compliance
Because your AI and all conversation data runs on your own server, you are the data controller. NestAI only processes the billing and account data required to run the service. For formal compliance:
- ◆Data export: go to Settings → Export My Data to download a JSON copy of your account data
- ◆Data deletion: use Settings → Delete Account to permanently remove all data from NestAI's systems
- ◆Your AI conversations: these live on your Hetzner server — delete them by removing the server or clearing Open WebUI history