Security

Fail-closed
by default.

Every layer hardens the one below it. Secrets never touch disk unencrypted. Network segments isolate every service. Audit logs capture every action.

Request security docs About Nexus Trust
Infrastructure Security

Four layers. No shortcuts.

Every component runs in isolation with least-privilege access, encrypted storage, and immutable audit trails.

HashiCorp Vault
All secrets stored in Vault with AppRole authentication, scoped policies, and AWS KMS auto-unseal. No .env files in production.
AES-256 Encryption
SAR narratives encrypted at rest with AES-256-GCM. Database connections use TLS. All inter-service traffic encrypted in transit.
Immutable Audit Log
Every API call, every model decision, every analyst action recorded in append-only TimescaleDB hypertables with cryptographic integrity.
Network Isolation
Three LXC containers on a private bridge network. Only the application node has public internet access. Database and indexer are fully isolated.
Practices

Defense in depth.

Security is not a feature. It is the architecture. Every service authenticates, every task is signed, every secret rotates.

Security Stack
Vault Agent Sidecars
AppRole authentication on each container. Secrets rendered into memory-mapped .env files.
Celery HMAC Signing
Every task message signed with HMAC-SHA256. Unsigned tasks rejected at the worker.
Redis ACL
Dedicated user with restricted command set. No FLUSHALL, no CONFIG, no DEBUG.
Refresh Token Rotation
Single-use refresh tokens. Reuse detection triggers immediate session revocation.
Least-Privilege DB Roles
Four database users with scoped permissions. Application code has zero DDL access.
Compliance Readiness

Built for auditors.

Every architectural decision maps to a regulatory control. Audit evidence is generated automatically.

IN PROGRESS
SOC 2 Type II
Trust service criteria mapped across all five categories. Evidence collection automated through infrastructure logging and Vault audit trails.
IMPLEMENTED
SR 11-7
Model risk management framework with champion/challenger lifecycle, drift detection, and automated governance documentation.
IN PROGRESS
GDPR Readiness
Data minimization by design. Retention policies enforced through TimescaleDB compression. Right to erasure workflows documented.

Request our security documentation.

We share our full architecture review, penetration test results, and compliance mapping under NDA.

Contact security team