Trust and Security

Last updated: March 2026

1. Our Security Commitments

NexCyberEU is a compliance infrastructure platform. Security is foundational to our product. We apply the same rigour to securing our own systems that we ask of our customers.

2. Data Encryption

Encryption in Transit

All communications are encrypted using TLS 1.3. Older protocol versions are rejected. HTTPS enforced via HSTS with a minimum max-age of 1 year.

Encryption at Rest

All data stored via Supabase (EU region) is encrypted at rest using AES-256. Keys are managed by Supabase key management and rotated on a scheduled basis.

Certificate Integrity (MRCC)

Machine-Readable Compliance Certificates are cryptographically signed using HMAC-SHA256. Each certificate includes a unique identifier, issuance timestamp, and signature digest, preventing tampering and ensuring non-repudiation.

3. Authentication and Access Control

Authentication handled by Supabase Auth with JWT-based session tokens:

  • Short-expiry JWT tokens (1 hour access token, 30-day refresh token).
  • Passwords hashed using bcrypt with a cost factor of 12.
  • Row-Level Security (RLS) policies ensure users access only their own data.
  • API keys scoped to specific workspaces, revocable at any time from account settings.
  • All authentication events logged with IP address and user-agent for audit purposes.

4. Infrastructure Security

  • Application servers hosted on Render in EU data centres with network isolation.
  • Database access restricted to application service accounts; no direct public exposure.
  • Dependencies scanned for CVEs on every CI/CD pipeline run.
  • Secrets managed via environment variable injection; never stored in source code.
  • Container images rebuilt from scratch on each deployment.

5. Compliance Roadmap

SOC 2 Type II — In Progress

Internal controls aligned with Trust Services Criteria. Target: H2 2026.

ISO 27001 — Planned

ISMS implementation planned for 2027, aligned with enterprise customer requirements.

GDPR Compliance — Active

Operating under GDPR with signed DPAs with all sub-processors. See our Privacy Policy.

6. Responsible Disclosure

If you discover a security issue in NexCyberEU, please report it responsibly:

Do: Send a detailed report including steps to reproduce and potential impact. We acknowledge within 48 hours.

Do not: Exploit vulnerabilities beyond proof-of-concept, access or exfiltrate user data, or perform denial-of-service attacks.

Security contact: Responsible disclosure form

PGP key available on request. No legal action against good-faith security researchers.