SECURITY
Security is foundational to the NEXUS platform. Built from the ground up with defense-in-depth architecture, end-to-end encryption, and continuous monitoring.
Infrastructure
DEDICATED HOSTING
Hetzner dedicated server in Germany (EU). Cloudflare edge network. No shared hosting — your data runs on isolated, single-tenant infrastructure.
Encryption
END-TO-END
TLS 1.3 in transit. AES-256 at rest. ECDH + AES-GCM end-to-end encryption for device synchronization. No plaintext data leaves your devices.
Authentication
MULTI-FACTOR
JWT token authentication with device fingerprinting. Optional two-factor authentication (2FA) via TOTP. Session tokens rotate automatically.
Access Control
6-TIER RBAC
Role-based access control with 6 tiers (T0 Owner through T4 End User + Personas). RPC allow-lists per tier ensure least-privilege access.
Data
ISOLATED STORAGE
Dedicated PostgreSQL instance per organization. Automated daily backups with verified restore. VPN-only administrative access.
Monitoring
REAL-TIME ALERTS
Prometheus + Grafana observability stack. Real-time alerts via ntfy. Anomaly detection for suspicious access patterns.
INCIDENT RESPONSE
Our incident response times are based on severity classification:
P0
< 1 HOUR
Critical — Service down
P1
< 4 HOURS
High — Major degradation
P2
< 24 HOURS
Medium — Partial impact
COMPLIANCE
- GDPR-ready: Data export and erasure RPCs built into the platform (see Privacy Policy)
- Data residency: All data stored in Germany (EU) by default
- Log retention: 90 days rolling, then purged
- Audit trail: All administrative actions logged and immutable
SECURITY TESTING
- Continuous SAST in CI pipeline — every commit scanned
- Automated vulnerability scanning via security_analyzer.py (custom tool)
- Dependency auditing with automated alerts for CVEs
- JWT security hardened: Anonymous WS bypass fixed, role self-escalation prevented
REPORT A VULNERABILITY
If you discover a security vulnerability, please report it responsibly.
Email: security@zeltrex.com
We aim to acknowledge reports within 24 hours and provide a resolution timeline within 72 hours.