Security and Compliance Overview

This document provides an overview of the security and compliance posture of the NEXUS AI platform. It is intended to support customer due diligence, vendor risk assessment, and procurement review processes.

NEXUS AI is designed to support enterprise customers operating in multi-cloud and production environments by implementing security controls aligned with generally accepted industry practices.

NEXUS AI maintains an internal security governance framework intended to manage risk, protect customer data, and support secure platform operations.

Key governance objectives include:

• Protection of customer and platform data
• Controlled access to systems and environments
• Auditability of operational and deployment activities
• Ongoing evaluation and improvement of security controls

Security responsibilities are defined internally and reviewed as part of platform operations.

Access to the NEXUS AI platform is governed through identity-based access control mechanisms.

Controls include:

• Role-based access control (RBAC)
• Segregation of access by environment and function
• Scoped API credentials and access tokens
• Support for federated authentication and single sign-on (where applicable)
• Controlled deployment permissions and approval workflows

Access rights are granted based on the principle of least privilege.

NEXUS AI implements safeguards designed to protect customer data.

Encryption

• Data in transit is protected using industry-standard TLS encryption.
• Platform-managed data is encrypted at rest using industry-standard mechanisms.

Data Isolation

• Customer environments are logically isolated.
• Tenant-specific data is segregated through access and infrastructure controls.
• Customers retain ownership and responsibility for application-level data and content deployed using the platform.

The NEXUS AI platform is designed to operate in containerized and cloud-based environments.

Security controls include:

• Hardened runtime environments
• Network segmentation and isolation
• Controlled ingress and egress points
• Secure handling of container images and artifacts
• Change control and version management for platform components

When deployed within customer-managed cloud environments, applicable security controls are shared in accordance with the agreed deployment model.

NEXUS AI maintains logging mechanisms to support operational monitoring and audit requirements.

Logged events may include:

• Deployment actions
• Configuration changes
• Access and permission changes
• System lifecycle events

Log retention, access, and review are governed by internal operational policies.

NEXUS AI follows internal development practices intended to reduce security risk.

This includes:

• Code review and change management procedures
• Automated testing and validation processes
• Dependency management and vulnerability awareness
• Controlled release and deployment workflows

Security considerations are incorporated throughout the software development lifecycle.

NEXUS AI aligns its internal controls with commonly recognized security and compliance frameworks.

SOC 2

The platform is designed with reference to the SOC 2 Trust Services Criteria, including:

• Security
• Availability
• Confidentiality

Formal SOC 2 reports, if applicable, are provided separately and subject to audit scope and availability as determined by NEXUS AI.

ISO/IEC 27001

NEXUS AI security practices are informed by ISO/IEC 27001 principles, including risk-based control implementation and information security management practices.

Certification status, if applicable, is documented independently and may be provided upon request.

Security responsibilities are shared between NEXUS AI and the customer.

• NEXUS AI is responsible for securing the platform control plane and managed services.
• Customers are responsible for application logic, data content, user access management, and compliance obligations related to their specific use cases.

Specific responsibilities may vary based on deployment architecture and contractual agreements.

NEXUS AI maintains procedures for identifying, responding to, and managing security incidents.

These procedures include:

• Incident identification and escalation
• Internal investigation and remediation
• Customer notification in accordance with contractual obligations and applicable laws

Security controls and practices are periodically reviewed and updated to address evolving threats, regulatory requirements, and operational needs.

This document is provided for informational purposes only and does not constitute a contractual commitment, warranty, or certification. Formal compliance attestations, audit reports, and contractual security obligations are governed exclusively by executed agreements between NEXUS AI and the customer.

NEXUS AI security practices are designed to support enterprise risk management and compliance review.