Security

1. Encryption

• In transit: all traffic between your browser, our servers, and the meeting bot uses modern TLS.
• At rest: every database row, every audio file, and every backup is encrypted before it hits disk.
• API credentials you provide for integrations (Slack, etc.) are encrypted with per-workspace keys.

2. Authentication and access

• Sign in with email magic link or OAuth (Google) today. SAML SSO is planned for enterprise customers as the product matures.
• Sessions are short-lived and revocable from Settings.
• Access to production systems is restricted to the developer's personal accounts, secured by strong passwords and platform-level multi-factor authentication; all access is logged by the underlying providers (Vercel, Supabase, Cloudflare).

3. Infrastructure

• Application served from a globally distributed edge network.
• Database with daily encrypted backups, multi-zone redundancy, and 30-day retention.
• Object storage with industry-leading durability for your recordings.

4. Network

• Public endpoints sit behind Vercel's and Cloudflare's edge networks, which provide DDoS mitigation and standard OWASP-aligned protections.
• Rate limiting on sensitive endpoints (sign-in, recording upload).
• Incoming webhooks (e.g. from Stripe) are cryptographically signed; we reject unsigned or mismatched payloads.

5. AI processors

We use vetted AI providers to power transcription, task extraction, and Minutes of Meeting generation. Every provider we use is configured with zero data retention: your audio and prompts are never stored after the request completes and never used to train models.

6. Backups and disaster recovery

• Daily automatic encrypted database snapshots provided by our managed database host, with 30-day retention.
• Recording storage on a provider with industry-leading durability guarantees.
• Recovery objective: restore service within one business day of a major incident.

7. Vendor security

We choose vendors that publish their own security practices and maintain industry-standard certifications. The current list is in our Privacy Policy. We sign a Data Processing Agreement with enterprise customers on request.

8. Compliance

• GDPR & UK GDPR aligned. We act as data processor for customer content and offer a DPA on request.
• CCPA / CPRA aligned.
• Nexis is an early-stage product run by a solo developer. We have not yet pursued SOC 2 / ISO 27001 certification — those are on the roadmap for once we serve regulated industries.

9. Responsible disclosure

Found something? We'd genuinely like to hear from you.

• Email nexis.support@ekamspace.com with details and steps to reproduce.
• Give us a reasonable window to fix the issue (usually 30 days) before disclosing publicly.
• Don't access more data than necessary to demonstrate the issue.
• We don't pursue legal action against good-faith researchers who follow these rules.

Nexis does not currently run a paid bug bounty program. We acknowledge meaningful reports publicly (with your permission) and may offer a small token of appreciation for impact-bearing vulnerabilities — we'll add a formal bounty once the company can support it.

10. Incident response

If a security incident materially affects your data we will notify affected account owners by email within 72 hours of confirming the impact, including what happened, what we've done, and what we recommend you do.

11. Contact

Security questions: nexis.support@ekamspace.com
Privacy questions: nexis.support@ekamspace.com