Security

How we protect your data, decisions, and business intelligence.

Our commitment

Your decisions contain some of the most sensitive information in your business — strategy, financials, hiring, competitive intelligence. We treat every piece of data with the seriousness it deserves.

Infrastructure

• Cloud hosting: Deployed on enterprise-grade cloud infrastructure with SOC 2 Type II certified data centers.
• Encryption in transit: All connections use TLS 1.3. No plaintext communication, ever.
• Encryption at rest: All data encrypted with AES-256. Database encryption keys are managed via cloud KMS with automatic rotation.
• Network isolation: Application, database, and cache layers are isolated in private subnets with no public internet exposure.

Application security

• Authentication: Bcrypt password hashing, JWT with short-lived tokens, refresh token rotation, optional 2FA (TOTP).
• Authorization: Role-based access control (RBAC) with 4 roles (Owner, Admin, Editor, Viewer). Feature-level permissions per plan tier.
• Session management: Active session tracking, remote session revocation, automatic idle timeout.
• Rate limiting: Per-user and per-endpoint rate limiting to prevent abuse.
• Input validation: All inputs validated and sanitized. SQL injection and XSS protection via parameterized queries and content security policies.

AI security

• No training on your data: Your decisions, conversations, and business context are never used to train any AI model.
• Prompt isolation: Each user's prompts are processed in isolation. No cross-tenant data leakage.
• Provider agreements: Our AI providers (Anthropic, OpenAI) operate under data processing agreements that prohibit model training on customer data.
• Output filtering: AI outputs pass through content safety filters before delivery.

Enterprise security

• SSO / SAML: Enterprise plans support SAML-based single sign-on with identity providers like Okta, Azure AD, Google Workspace.
• SCIM provisioning: Automated user provisioning and deprovisioning.
• Audit trail: Complete audit log of all user actions — logins, decisions created, data accessed, settings changed.
• Compliance mode: Enterprise compliance mode with data retention policies, Chinese wall barriers, and enhanced logging.
• Data residency: Enterprise customers can specify data residency requirements.

Incident response

We maintain a documented incident response plan. In the event of a security incident, affected users are notified within 72 hours. Regulatory authorities are notified as required by GDPR/DPDPA. Post-incident reports are provided to Enterprise customers.

Responsible disclosure

If you discover a security vulnerability, please report it to security@nexbree.com. We commit to acknowledging reports within 24 hours, providing a timeline for remediation, and not pursuing legal action against good-faith security researchers.

Compliance

• GDPR: Full compliance with the EU General Data Protection Regulation.
• DPDPA: Compliance with India's Digital Personal Data Protection Act, 2023.
• SOC 2: Working toward SOC 2 Type II certification.

Security questions? Contact security@nexbree.com.