Nullary

Security & licensing

Data licensing

Every record in Nullary carries license metadata from its source database. See the coverage page for the full license matrix.

  • Most sources are Creative Commons (CC-BY 4.0, CC-BY-SA 3.0) — commercial use allowed with attribution
  • Some sources are Public Domain (ClinicalTrials.gov, PubChem, Drugs@FDA) — no restrictions
  • A few sources are Academic-use only (THPdb, PepLife, AOBase) — commercial use requires review of specific terms

When you redistribute results from Nullary (in publications, derivative products, customer-facing tools), respect the source licenses. Nullary surfaces the license per record in API responses so you can filter or attribute appropriately.

If you're unsure about a use case, email team@nullary.ai and we'll work through the licensing with you.

Customer data

What Nullary stores about API users:

  • Email address (for account, billing, notifications)
  • Stripe customer ID (for paid tiers)
  • API key (hashed)
  • Query telemetry: tool names called, response sizes, timestamps
  • Usage counts per billing cycle (for rate limiting)

What Nullary does not store:

  • Query parameter contents (the specific targets, compounds, or terms you search for)
  • Result selections (which specific records you accessed)
  • IP addresses beyond ephemeral rate-limit purposes
  • Any data about you that isn't operationally required

Infrastructure

  • Hosting: Hetzner (Germany, EU) for pipeline workers; Neon (eu-central-1) for primary database; Vercel for customer-facing layer
  • TLS everywhere (Let's Encrypt; A+ rating expected on ssllabs.com)
  • Cloudflare WAF and DDoS protection in front of public endpoints
  • Postgres with point-in-time recovery enabled
  • Automated daily backups

Compliance

  • GDPR posture: EU-hosted primary infrastructure. Customer email and billing data is the only personal data processed. Data deletion requests honored within 30 days.
  • Data residency: EU primary (Germany / Frankfurt). US replication available on request for enterprise customers.
  • SOC 2: not currently certified. Planned for Q2 2027 as customer mix justifies.
  • HIPAA: Nullary doesn't process protected health information. The data is bibliographic and scientific — not patient data.

Security contact

Vulnerability reports: security@nullary.ai

Responsible disclosure expected. We respond to security reports within 48 hours and publicly acknowledge researchers who report vulnerabilities. Bug bounty program planned for Q3 2026.

Subprocessors

Nullary uses the following subprocessors that may process customer data:

  • Stripe (billing)
  • Resend (transactional email)
  • Vercel (web hosting)
  • Cloudflare (DNS, CDN, WAF)
  • Neon (database hosting)
  • Hetzner (compute hosting)
  • Anthropic (LLM extraction, Enterprise tier onward)

Updated list maintained at this URL. Subprocessor changes are announced 30 days in advance.