Security overview

Services run on hardened cloud infrastructure (primary: Azure; backup: AWS). All hosts are private-VPC by default with no public ingress except through audited gateways.

AES-256 at rest with managed keys, TLS 1.3 in transit. Customer-managed keys (CMK) are available on enterprise plans for Astris HR and TrailX.

Production access is just-in-time, time-bounded, and logged. Quarterly access reviews. MFA required for every employee account. Hardware keys for production access.

Code review and CI gates for every change, including static analysis, dependency scanning, and IaC policy checks. Pen-tested annually by an independent firm.

Centralized logging with 1-year retention. 24/7 on-call with documented runbooks. SIEM in place.

Defined IR playbook with role-based escalation. Customer notification within 72 hours of any confirmed security incident affecting their data.

Found a vulnerability? Email security@nexus.science. We pay for valid reports and credit researchers in our hall of fame.