Security Policy

1. Our Security Commitment

NexusVoid AI is a security company. We hold ourselves to a higher standard than most SaaS providers - because our customers trust us with their most sensitive data: their own security vulnerabilities. That trust is not taken lightly.

We apply a defense-in-depth approach across every layer of the platform: infrastructure, application, data, and operations. We test ourselves with the same tools we sell to our customers - every quarter, without exception.

2. Infrastructure Security

The NexusVoid AI platform is hosted on Amazon Web Services (AWS), one of the most secure and compliant cloud providers available:

• Primary region: AWS ap-south-1 (Mumbai, India). EU customers have the option of data residency in AWS eu-central-1 (Frankfurt, Germany).
• SOC 2-ready infrastructure: Our AWS environment follows SOC 2 Type II control requirements. We are actively working toward formal SOC 2 Type II certification. See Section 8 for our current compliance status.
• Multi-AZ deployment: Production services run across multiple AWS Availability Zones for redundancy and resilience.
• Tenant isolation: Customer data is logically isolated at the database and storage layer. No customer can access another customer's data.
• Network controls: Production resources are deployed in private VPCs with no direct public internet exposure. All external traffic flows through application load balancers with WAF protection.

3. Data Encryption

• At rest: All customer data in databases and object storage is encrypted using AES-256. Database encryption keys are managed through AWS KMS with automatic rotation enabled.
• In transit: All communications between clients and our servers use TLS 1.3. TLS 1.0 and 1.1 are disabled. We enforce HSTS with a one-year max-age on all domains.
• Secrets management: Application secrets, API keys, and credentials are stored in AWS Secrets Manager and are never hard-coded in source code or environment files.
• Passwords: User passwords are hashed using bcrypt with a minimum cost factor of 12. We never store plaintext passwords.

4. Access Controls

Access to customer data and production systems is tightly controlled:

• Principle of least privilege: All employees and systems are granted only the minimum permissions necessary to perform their function. Access is reviewed quarterly.
• Multi-factor authentication (MFA): MFA is mandatory for all internal staff accessing production systems, AWS console, and critical SaaS tools.
• Single Sign-On (SSO): Internal access to all tooling is managed through SSO, providing centralized authentication and instant deprovisioning when employees leave.
• RBAC for customers: The platform supports role-based access control for customer teams, including Owner, Admin, Member, and Read-only roles.
• Audit logging: All administrative actions on production systems are logged to immutable audit trails and retained for 12 months.

5. Penetration Testing

We practice what we preach. NexusVoid AI conducts quarterly penetration testing of its own infrastructure and application using Striker, our AI-powered VAPT agent, as well as periodic manual red team engagements.

Testing scope includes the web application, API layer, authentication systems, cloud configuration, and network perimeter. Critical findings are remediated within 48 hours. High-severity findings are remediated within 7 days. All findings are tracked to closure before the next scheduled test.

Enterprise customers may request a copy of our most recent pentest executive summary under NDA by contacting security@nexusvoidai.com.

6. Vulnerability Disclosure

We operate a responsible disclosure program. If you discover a security vulnerability in NexusVoid AI's systems, applications, or infrastructure, we encourage you to report it to us.

We commit to: acknowledging your report within 48 hours; providing a fix timeline within 7 days; resolving critical vulnerabilities within a 90-day SLA; and crediting you in our Security Hall of Fame (with your permission) upon disclosure.

We will not take legal action against researchers who report vulnerabilities in good faith and comply with these guidelines. Please do not access or modify customer data, disrupt service availability, or publicly disclose vulnerabilities before coordinating with us.

7. Incident Response

We maintain a formal Incident Response Plan that is reviewed and tested annually:

• DetectionAutomated monitoring via AWS GuardDuty, CloudTrail, and application-level anomaly detection. Target detection time: within 2 hours of a security event.
• ContainmentImmediate isolation of affected systems. On-call security engineer paged within 15 minutes of alert escalation.
• AssessmentDetermination of scope, affected data, and customer impact within 4 hours of confirmed incident.
• NotificationAffected customers notified within 24 hours of confirmed breach involving their data. Regulatory notifications (GDPR, DPDP) made within legally required timeframes (72 hours for GDPR).
• RecoveryRemediation and service restoration with post-incident review and root cause analysis shared with affected customers.

8. Compliance

9. Business Continuity

• Uptime SLA: We target 99.9% monthly uptime for the core platform (excluding scheduled maintenance). Real-time status is available at status.nexusvoidai.com.
• Daily backups: All customer data is backed up daily. Backups are encrypted, stored in a separate AWS region, and tested quarterly.
• Multi-AZ redundancy: The production database and application tier run across multiple Availability Zones to eliminate single points of failure.
• RTO / RPO: Recovery Time Objective is 4 hours; Recovery Point Objective is 24 hours, for major infrastructure failures.

10. Contact Security Team

For security questions, vulnerability disclosures, or to request security documentation: