1. Infrastructure
The Service is hosted on cloud infrastructure located in the European Union and the United States. Production environments are isolated from development and staging via separate accounts, networks, and credentials. All inter-service traffic is encrypted with TLS 1.3 and all data at rest is encrypted with AES-256 using rotated keys managed in a dedicated KMS.
2. Access Controls
Access to production systems is granted on a least-privilege basis, requires hardware-backed multi-factor authentication, and is logged with immutable audit trails. Access is reviewed quarterly and revoked within twenty-four (24) hours of role change or departure.
3. Secure Development
All code changes pass peer review, automated unit and integration tests, static analysis (SAST), dependency scanning, and secret scanning before merge. Container images are scanned at build time and at runtime.
4. Vulnerability Management
We perform continuous vulnerability scanning and engage independent third parties for annual penetration testing. Identified vulnerabilities are triaged within one business day and remediated according to severity (critical: 72 hours, high: 14 days, medium: 30 days, low: 90 days).
5. Incident Response
We maintain a documented incident response plan with on-call rotation. In the event of a confirmed personal data breach, affected customers and regulators are notified within the timeframes required by applicable law (e.g. 72 hours under GDPR).
6. Responsible Disclosure
Report suspected vulnerabilities to security@nexelioflow.com with reproduction steps. We acknowledge reports within one business day, work in good faith on remediation, and do not pursue legal action against researchers who act under our responsible disclosure guidelines.