We take your code and secrets seriously
Preview environments touch real production code, real seed data, and real secrets. Here is how Nexos is built to keep them safe — and what we're still working on.
Encryption in transit
Every external endpoint is served over TLS 1.2+. The control-plane-to-agent gRPC channel supports mutual TLS so only enrolled nodes can join the fleet.
Encryption at rest
Environment variables and database passwords are encrypted with AES-256-GCM. Each value gets a unique initialisation vector. The master key is stored in the host environment, never in the database.
Isolation between environments
Every preview runs inside its own containerd container with cgroup-enforced CPU and memory limits. Databases are namespaced per environment and network-scoped to their owning container.
Tenant separation
Projects are scoped by user or team. Every API route enforces ownership and team membership before returning data. We use parameterised queries via Drizzle ORM — no raw string SQL from user input.
Auditability
All deployments, credit transactions, team membership changes, and admin actions are recorded in append-only ledgers with the acting user, timestamp, and related resource IDs.
Operational controls
Production databases are backed up daily with point-in-time recovery. Access to production infrastructure requires hardware-key MFA. The full control plane is deployable from a single repo so we can rebuild from source in minutes.
Compliance roadmap
We are a young company and we are honest about where we are. Here is the current state:
- GDPR-ready data handling. All user data is deletable on request; we do not sell or share personal data with third parties. EU-hosted compute is available on request for data-residency needs.
- SOC 2 Type I — in progress. Targeted audit window: Q3 2026. Ask us for the current internal controls document if you need it ahead of that.
- ISO 27001 — on the roadmap. Planned for the year after SOC 2 Type II.
Report a vulnerability
Found a security issue? Please email security@nexos.dev with a description and reproduction steps. We triage within one business day and will keep you updated until the fix ships. Act in good faith and we will treat you in kind — no legal action for responsible disclosure.
Want deeper detail? See our architecture docs or reach out for a security questionnaire.