Security

Nodus runs on managed infrastructure with encryption at rest and in transit, single-sign-on for the team, row-level isolation between tenants, and centralized monitoring. We’ll publish formal certifications as we earn them.

The application runs on Vercel (US regions). Application data lives in Supabase Postgres, which is hosted on AWS. Backups are managed by Supabase and are encrypted.

• TLS 1.2+ in transit on every public endpoint.
• AES-256 at rest for the application database, file storage, and backups.
• Secrets stored in Vercel and Supabase secret managers, never in source control.

Customer data is partitioned by tenant in Postgres. Row-level security is enabled on every customer table; service-role access is limited to server-side code paths that scope queries by tenant. We review access patterns as we add new features.

User auth is handled by Clerk. Customer admins can require SSO and multi-factor for their team. Internal Nodus access uses single sign-on with mandatory MFA, scoped permissions, and audit logging.

Card data is collected and stored by Stripe (PCI DSS Level 1). We don’t see, store, or transmit raw card numbers.

We use Sentry for error monitoring and Vercel/Supabase platform metrics for uptime and performance. If a security incident affects you, we’ll notify you within 72 hours of confirmation, with what we know and what we’re doing about it.

Continuous database backups with point-in-time recovery, retained for up to 30 days. We test restore procedures regularly.

Subprocessors are listed on the privacy page. We review each one for security posture and contract terms before relying on them.

If you find a security issue, please email security@nodusos.ai with steps to reproduce. Don’t exploit it, don’t share it publicly until we’ve had time to fix, and we’ll acknowledge within two business days.

SOC 2 Type I and a public status page are on the near-term roadmap. We’ll update this page as items ship.