Trust through transparency
Security at Nexus
Self-host for full control, or run our defaults. Here's exactly how we protect data — and what's still on the roadmap.
Architecture
React SPA + Node/Express API + SQLite (Postgres on the roadmap). Deploy with Docker + Nginx, fully self-hostable inside your network.
Encryption
bcrypt password hashing; TLS in transit (terminate at Nginx/Cloudflare); BYOK provider keys encrypted at rest with AES-256-GCM.
Audit Logs
Security-relevant actions recorded with actor, IP, user-agent, and metadata — queryable by admins.
BYOK
Bring your own AI keys, encrypted and scoped per workspace; never returned to clients; owner/admin gated.
Access Control
RBAC with object-level authorization on mutating routes, scoped & IP-allowlisted API keys, and auth rate limiting.
Self Hosting
Keep all data and AI inference on infrastructure you control — ideal for regulated and sovereign environments.
Implemented today
- Env-only JWT secret (server refuses to boot insecure)
- bcrypt password hashing
- Object-level authorization (anti-IDOR) on pages, blocks, rows, comments
- Security headers + configurable CORS allowlist
- Auth rate limiting
- API key authentication (hashed, scoped, IP allowlist)
- Encrypted BYOK + audit logging
- Automated backup & restore scripts
Roadmap — not yet available
- • SSO / SAML and MFA
- • SOC 2 / ISO 27001 certification
- • Database-at-rest encryption + external KMS/HSM
- • Content Security Policy at the edge by default
- • High availability (PostgreSQL + Redis, multi-replica)
We will never claim a certification we don't hold. This list reflects honest current status.
Security questions or disclosure?
Reach our team via the contact page. We welcome responsible disclosure.