Your data is your data.

We take data security seriously. Here's a straightforward account of what we do to keep your workspace safe — no marketing fluff, just the facts.

What we do

Encryption in transit

All data is encrypted using TLS 1.2+ in transit. We enforce HTTPS across all endpoints and reject insecure connections.

Encryption at rest

Your workspace data is encrypted at rest using AES-256. Backups are encrypted and stored in geographically separated locations.

Access controls

Role-based access controls limit data access to authorised personnel. Production access is restricted and logged. We follow the principle of least privilege.

Infrastructure security

Our infrastructure runs on SOC 2 Type II and ISO 27001 certified cloud providers. We inherit industry-leading security controls and layer our own access policies, network segmentation, and monitoring on top.

Authentication

Sessions use short-lived tokens with automatic rotation. Passwords are hashed with a strong, salted algorithm. We support SSO on enterprise plans.

Dependency scanning

We regularly scan our dependencies for known vulnerabilities and apply patches promptly. Our CI pipeline rejects builds with high-severity CVEs.

Responsible disclosure

We welcome security researchers who help us keep Nexus safe. If you've found a vulnerability, please tell us before disclosing it publicly so we can fix it first.

We commit to: acknowledge your report within 2 business days, keep you informed as we investigate and fix the issue, and not take legal action against researchers acting in good faith.

Report to

security@usenexus.app

Scope

Authentication and session management
Access control and privilege escalation
Data exposure or exfiltration
XSS, CSRF, and injection attacks
API security issues

Out of scope

Social engineering of Nexus employees
DoS or DDoS attacks
Vulnerabilities in third-party software we use
Physical attacks

Our commitments

Your data belongs to you

We never sell your data or use it to train models. You can export everything at any time. Deletion is permanent and complete.

Availability

Automated daily backups with 30-day retention. Point-in-time recovery available on paid plans. We target 99.9% uptime.

Transparency

We publish our uptime history, disclose security incidents promptly, and maintain a full sub-processor list available on request.

Questions about security? security@usenexus.app · See also our Privacy Policy and Status page.