Security
How we protect customer data across the platform, the Jax agent, and our infrastructure. This is a living document — it describes what we actually do today, not what we aspire to.
Nexma is an AI-native spatial platform. Customers trust us with operational data — maps, infrastructure records, project content, and the conversations they have with Jax, our AI agent. Protecting that data is a foundational requirement, not a feature.
We are candid about where our program stands. Nexma is an early-stage company building toward formal certification. The controls described here are in place today; the certifications that independently attest to them are in progress, with honest target dates in the Compliance section below.
This page describes our technical and organizational security measures. It is reviewed regularly and updated as our practices evolve. For the compliance roadmap, sub-processor list, and downloadable policies, see our Trust Center.
Nexma is built on managed cloud infrastructure with a defense-in-depth approach. Controls are layered across the network, application, data, and identity boundaries rather than relying on any single safeguard.
All customer-facing traffic is served over encrypted connections, and our infrastructure providers are themselves independently audited (SOC 2 / ISO 27001).
All data moving between your browser, our application, and our backend services is encrypted with TLS 1.2 or higher. We do not serve application traffic over unencrypted connections.
Data stored in our databases, object storage, and backups is encrypted at rest with AES-256. Database backups are encrypted with rotating keys.
Secrets and credentials are held in managed key vaults provided by our infrastructure platforms — never committed to source control or baked into build artifacts. Access to production secrets is restricted and logged.
Identity and authentication are handled by Clerk, a dedicated identity provider. Access to data is governed by organization membership and project-scoped roles.
We review internal access periodically and revoke it promptly when roles change or staff depart.
Nexma runs on managed, US-based cloud infrastructure. We rely on established providers — including Vercel for application hosting and Supabase for our primary database and storage — whose platforms are independently audited.
Jax, our AI agent, can read and write project data and run analysis on a customer's behalf. Because the agent takes actions, we treat its security as a first-class concern distinct from the rest of the application.
The agent operates within the boundaries of the organization and project it is invoked from. It cannot reach data outside that scope, and its capabilities are limited to a defined set of operations rather than open-ended system access.
To generate responses, prompts and the relevant project content are sent to our model provider, Anthropic, under a data processing agreement. That data is processed to serve your request and is not used to train third-party models under those terms.
Actions the agent takes on your data are recorded, so changes can be attributed and reviewed. We continue to invest in safeguards against prompt injection and other AI-specific risks as the field matures.
Our compliance program is in active build-out. We describe each framework with an honest status — we do not claim certifications we do not yet hold.
We are building toward SOC 2 Type II, the independent attestation of our security, availability, and confidentiality controls. Readiness work is underway, targeting Q4 2026. We will publish the report through our Trust Center once complete.
ISO/IEC 27001 certification of our information security management system is planned to follow SOC 2, with a target of Q2 2027.
We offer a data processing agreement, disclose our sub-processors, and support data-subject rights requests. Standard contractual clauses are available on request. See our Privacy Policy and Trust Center for details.
All customer data is stored and processed in the United States. We do not replicate data to other regions today. EU and UK residency are on our roadmap; customers with regional requirements should reach out before contracting.
Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Backups roll on a thirty-day window and are encrypted with rotating keys.
Active project data is retained for the duration of the customer relationship. Deleted projects enter a thirty-day soft-delete window before being purged from primary storage and from backups on the next rotation. Customers may request export or deletion at any time, and we honor verified requests within thirty days.
We maintain a process for detecting, responding to, and learning from security events.
To report a security concern, contact legal@nexma.ai.
We rely on a small set of vetted sub-processors to operate the platform. Each is selected and monitored with customer-data protection in mind.
Independent third-party penetration testing is planned as part of our SOC 2 program. We will share a summary of results, along with the SOC 2 report itself, with customers under NDA once available.
In the meantime, we conduct internal security review of changes and address findings through our standard engineering process.
We welcome reports from security researchers. If you believe you have found a vulnerability in a Nexma product or service, please contact us at legal@nexma.ai with enough detail to reproduce the issue.
We commit to acknowledging valid reports, investigating in good faith, and not pursuing legal action against researchers who act responsibly and avoid privacy violations, data destruction, and service disruption.
Questions about our security practices, or need our security documentation for a vendor review? We're happy to help.
Nexma, Inc.
Email: legal@nexma.ai
Web: nexma.ai
To report a security vulnerability, contact legal@nexma.ai