NEXUS Security First
Built with operator-grade security, audit trails, and responsible disclosure.
We take security seriously—because you do.
How we protect your data
Strict CSP
Content Security Policy blocks inline scripts, requires HTTPS, and allows only whitelisted origins.
HMAC Verification
All Pulse ingests require HMAC signatures. No unsigned payloads are processed.
Audit Logs
Every event is logged with timestamp, tenant, and payload hash for full traceability.
Least Privilege
Role-based access control, scoped API keys, and tenant isolation by default.
Data Retention
Pulse events retained for 30 days. No PII stored unless explicitly provided in payload.
HTTPS Only
All traffic encrypted in transit. No HTTP, no exceptions.
Report a Vulnerability
How to Report
Email: security@nexusbase.tech
Subject: SECURITY — [short summary]
Include minimal reproduction steps, affected components/endpoints, and any PoC.
Do not exfiltrate data or perform destructive actions.
Scope
- Public website and product endpoints under
*.nexusbase.tech - API endpoints:
/api/pulse/ingest,/api/entitlements, etc. - Repositories and CI systems for NEXUS products
Safe Harbor
We support good-faith security research. If you act in good faith, avoid privacy violations, and do not disrupt services, we will treat your report as authorized under this policy.
We respond within 2 hours for critical issues
Acknowledgment: within 24 hours
Triage & fix timeline: depends on severity (communicated in initial response)