Is Nexmatic software or a service?

It's a platform we run for you on your own server. You get the software (dashboard, AI skills, memory, audit trail) and we handle the ops (hosting, updates, monitoring, support). You're never managing infrastructure — but the server is yours.

Where is my data stored?

By default, on a dedicated server in Canada (OVH Beauharnois, Quebec) — subject to Canadian law and PIPEDA-aligned. Every client has their own isolated VPS. No shared storage. No cross-client access.

What does 'signed audit trail' actually mean?

Every privileged action (approvals, sends, deletions, payments) is written to a hash-chained, cryptographically signed log. Tampering breaks the chain. Verification runs twice daily and weekly. For regulated work, this is your compliance proof.

What is an AI action and how does it differ from a shell skill?

An AI action is anything where the model reasons — sorting an email, drafting a reply, categorizing a document, scoring a lead. Shell skills are pure automation (syncs, polls, health checks) and run unlimited on every plan.

Do you offer hot-standby / failover?

Yes, as a premium add-on. A warm-replica server stays in sync; failover happens in minutes. Priced per workspace based on VPS size.

Month-to-month plans have no long-term commitment. Annual plans commit to 12 months in exchange for 2 months at half price — still invoiced monthly, no lump sum.

Not All AI Automation Is Built the Same: Why Security and Reliability Should Be Your First Question

Key Takeaways

Not every AI automation tool treats your data with the same care — free tools, hobby projects, and unvetted open-source frameworks often have serious security gaps
Your business data (client records, financials, employee info) is governed by PIPEDA in Canada — a breach isn't just embarrassing, it's a legal liability
Nexmatic deploys a dedicated per-client workspace — a virtual server that's yours alone, hosted in Canada by default, with private long-term memory, encrypted data handling, a tamper-evident audit trail, and human oversight at every step
The cheapest automation solution is often the most expensive one when something goes wrong

The Automation Gold Rush Has a Dark Side

AI automation is booming. Every week there's a new tool, a new framework, a new "automate everything" platform launched by two developers working out of a co-working space. Some of these are excellent. Many are not.

The problem? From the outside, they all look the same. Clean landing page, impressive demo, affordable pricing. But underneath, the differences are enormous — and they matter most when things go wrong.

When you connect an automation tool to your accounting software, your CRM, your email, and your client database, you're handing over the keys to your entire operation. If that tool has weak security, poor data handling, or disappears because the developer got a full-time job — your business is exposed.

What Can Go Wrong With Cheap or Unvetted Automation

Your Data Lives on Someone Else's Server

Most automation tools are cloud-based. That means your client records, financial data, employee information, and business communications are stored on servers you don't control. The question is: whose servers, where, with what protections?

Some tools store data on shared infrastructure with minimal encryption. Some route data through third-party APIs in jurisdictions with weaker privacy laws. Some don't even have a clear data retention policy — your information lives on their servers indefinitely, even after you cancel.

For Canadian businesses, this isn't just a best-practice concern. PIPEDA (Personal Information Protection and Electronic Documents Act) requires you to protect personal information in your care. If an automation tool leaks your client data because of poor security practices, you're the one facing the regulatory consequences — not the tool provider.

Open-Source Doesn't Mean Enterprise-Ready

Open-source automation tools can be powerful. But "open-source" doesn't automatically mean "secure" or "reliable." It means the code is publicly available. It doesn't guarantee:

Active maintenance: Many open-source projects are maintained by one or two people in their spare time. If they move on, the project stops getting security patches.
Security audits: Enterprise software undergoes regular penetration testing and security reviews. Most open-source side projects never have a formal security audit.
Uptime guarantees: When a free tool goes down on a Tuesday afternoon, there's no SLA, no support team, no one to call. Your automations simply stop running until someone notices.
Data isolation: Some open-source tools run on shared databases or don't properly isolate tenant data. Your business data could be one misconfiguration away from exposure.

This doesn't mean all open-source is bad — but it means you need to evaluate it with the same scrutiny you'd apply to any vendor who's handling your sensitive data. And most small businesses don't have the technical expertise to do that evaluation.

Free Tiers Are Funded by Your Data

When a product is free, you are the product. Many "free" AI tools monetize through data collection — training their models on your inputs, sharing anonymized (sometimes poorly anonymized) data with partners, or selling usage analytics to third parties.

Read the terms of service. If a free AI tool's privacy policy says they can use your inputs to "improve their services" or "train models," that means your client emails, financial data, and business documents are being fed into systems you have no control over.

The "It Works Until It Doesn't" Problem

Hobby-grade automation tools work great — until they don't. And the failure modes are ugly:

An API key expires and invoices stop going out for two weeks before anyone notices
A framework update breaks a workflow and client follow-ups silently stop
A webhook endpoint changes and payment notifications stop arriving
The developer shuts down the project and your automations disappear overnight

In a personal project, these failures are inconveniences. In a business handling real clients and real money, they're emergencies. And if your automation doesn't have monitoring, alerting, and human oversight, you won't even know it failed until a client calls to ask why they never got their invoice.

What Proper Business Automation Looks Like

When you evaluate an automation provider, here's what should be non-negotiable:

1. Data Encryption at Rest and in Transit

Every piece of data — whether it's sitting in a database or being transmitted between systems — should be encrypted. This is table stakes. If a provider can't confirm AES-256 encryption at rest and TLS 1.3 in transit, walk away.

2. Canadian Data Residency

For businesses operating under PIPEDA, knowing where your data physically lives matters. Data stored in Canada is subject to Canadian privacy law. Data stored in the US is subject to the CLOUD Act, which allows US authorities to access it regardless of where the data owner is located. Ask your provider: where are your servers?

3. Audit Trails

Every action taken by an automated system should be logged — what happened, when, why, and what data was accessed. If something goes wrong, you need to be able to trace exactly what occurred. This isn't optional for regulated industries, and it shouldn't be optional for anyone.

4. Human Oversight

Fully autonomous AI with no human review is a recipe for compounding errors. A system that miscategorizes one transaction is a minor issue. A system that miscategorizes transactions the same way for three months because nobody checked is a bookkeeping nightmare.

Good automation includes checkpoints where humans review outputs, approve critical actions, and catch edge cases that AI doesn't handle well.

5. Failure Detection and Alerting

When an automation fails — and eventually, something will fail — the system should detect it immediately and alert someone. Silent failures are the most dangerous kind. A tool that runs without monitoring is a liability pretending to be an asset.

6. Vendor Stability

Will this company exist in two years? Do they have paying customers? Is there a real team behind the product, or is it one developer's side project? These questions feel awkward to ask, but they're critical. Your business processes shouldn't depend on someone else's hobby.

How the Nexmatic Platform Is Built

At Nexmatic, we don't cobble together free tools and hope they keep working. Every client gets a dedicated virtual server ("workspace") provisioned in Canada by default, running the Nexmatic AI runtime with security and reliability as foundational requirements — not afterthoughts.

What's Actually Different About the Platform

1 VPS per client — hard isolation: Your workspace runs on a server that's yours alone. No shared tenants. No noisy neighbors. No cross-client data access at the infrastructure level, not just the application level.
Canadian data residency: Servers provisioned in OVH Beauharnois (Quebec) by default — Canadian soil, Canadian law, PIPEDA-aligned. Other regions available on request.
Long-term AI memory (the "palace"): Brand voice, customer history, commitments, decisions, past campaigns — stored in structured memory that only you can access. Never shared across clients. Never used to train models.
Signed audit trail (WAL): Every privileged action is hash-chained and cryptographically signed. Tampering breaks the chain. Verification runs twice daily and weekly — your compliance proof is built in, not bolted on.
WebAuthn-signed approvals: Privileged actions (sending money, publishing, deletions) require a hardware-verified signature from a human operator — not from the AI. The AI drafts; a person signs; the log remembers.
Event-driven monitoring: Every workflow is tracked, failures trigger alerts within seconds, and your dedicated ops contact (Pro 2+) gets paged — not discovered three weeks later.
Encrypted backups nightly, offsite: Daily encrypted backups per workspace. Per-VPS master keys. You can request a full WAL export at any time.
Hot-standby failover (optional): Warm-replica server, failover in minutes. For operations that cannot tolerate downtime.

PIPEDA Compliance Built In

Canadian privacy law isn't something we bolt on after the fact. The platform is designed with PIPEDA compliance from the start:

Personal information is collected only for stated purposes and stays on your VPS
Data retention policies are configurable per client and per data type
Clients can request data export or workspace deletion at any time
Every access to personal information is logged in the signed audit trail and auditable

How to Evaluate Any Automation Provider

Whether you choose Nexmatic or someone else, ask these questions before handing over your data:

Where is my data stored? (Country and cloud provider)
Is data encrypted at rest and in transit?
What happens to my data if I cancel?
Do you use my data to train AI models?
What monitoring do you have for failed automations?
Can I get an audit trail of what your system did with my data?
How long have you been in business, and how many clients do you serve?
What's your incident response process if there's a breach?

Any provider who can't answer these clearly and specifically isn't ready to handle your business data. It doesn't matter how good their demo looks.

The Bottom Line

AI automation can transform your business. But only if it's built right. The difference between a tool that saves you 20 hours a week and a tool that leaks your client database is not the price tag — it's the engineering, the security practices, and the accountability behind it.

Don't trust your client records, your financial data, and your business reputation to the cheapest option you can find. Trust it to a system that was built to protect it.

Talk to Nexmatic about what secure, reliable automation looks like for your business. Or review our security architecture and plans to see what's included.