Trust Center
Independent attestations, sub-processor disclosures, and live system status — everything enterprises need to evaluate Nexma in one place.
Nexma's compliance program is in active build-out. We list every framework we're working toward, with honest status and target dates — no claims of certifications we don't yet hold.
Independent audit of security, availability, and confidentiality controls. Engagement underway with a Big-Four-affiliated auditor.
Target: Q4 2026
International standard for information security management systems. Gap assessment scheduled; full certification follows SOC 2.
Target: Q2 2027
Data processing addendum, sub-processor disclosure, and EU-data-subject rights workflow are live. Standard contractual clauses available on request.
Target: Operational
Available to customers handling protected health information under a Business Associate Agreement. Required controls partially in place.
Target: Q1 2027
California consumer privacy rights, opt-out, and deletion workflows are integrated into the privacy program.
Target: Operational
Nexma does not store or process cardholder data. Payments are handled by upstream processors; PCI scope does not apply to our infrastructure.
Target: Out of scope
These are the third-party services that may process customer data on Nexma's behalf. Each is bound by a data processing agreement and reviewed annually.
| Vendor | Purpose | Data categories | Location |
|---|---|---|---|
| Vercel | Application hosting and edge delivery | All customer-facing data in transit | US |
| Supabase | Primary database and object storage | Application data, project content | US |
| Clerk | Authentication and identity | User identity, session metadata | US |
| Anthropic | Large language model inference | Prompts and Codex content sent to Jax | US |
| Mapbox | Map tiles and geocoding | Geographic queries, viewport coordinates | US |
| Resend | Transactional email delivery | User email address, message content | US |
| Upstash | Rate limiting and edge cache | Request metadata, IP hashes | US |
| PostHog | Product analytics | Anonymized usage events, feature interactions | US |
We notify customers of material changes to this list at least 30 days before adding a new sub-processor that touches their data. Full disclosure in the legal vault.
Real-time visibility into the platform's availability. Historical uptime and incident history live on the public status page.
Checking status
Fetching the latest signal from the platform.
Policies, agreements, and disclosures procurement reviewers commonly request. Each document is versioned with its last revision date.
How Nexma collects, uses, and protects personal information.
Updated Mar 19, 2026
Technical and administrative controls protecting customer data.
Updated May 20, 2026
Detection, notification, and post-mortem commitments for security events.
Updated May 20, 2026
Authentication, authorization, and least-privilege standards across systems.
Updated May 20, 2026
How long different categories of data are kept and how they are deleted.
Updated May 20, 2026
How Nexma evaluates and monitors sub-processors and service providers.
Updated May 20, 2026
Standard DPA covering processor obligations and standard contractual clauses.
Updated Mar 19, 2026
Disclosure of cookies and similar technologies used on Nexma surfaces.
Updated Mar 19, 2026
A short summary of how Nexma stores, encrypts, retains, and deletes customer data. The full policies are in Downloads.
All customer data is stored and processed in the United States. We do not replicate to other regions today. EU and UK residency are on the roadmap and will be announced when available; customers with regional requirements should reach out before contracting.
Data is encrypted in transit with TLS 1.2 or higher and at rest with AES-256. Database backups are encrypted with rotating keys. Secrets are stored in a managed key vault, never in source control or build artifacts.
Active project data is retained for the duration of the customer relationship. Audit logs are retained for twelve months. Backups roll on a thirty-day window. Deleted projects enter a thirty-day soft-delete window before being purged from primary storage and backups on the next rotation.
Customers may request export or deletion of their data at any time through their account owner; we honor verified requests within thirty days. See the full retention and deletion policy.
Our commitment to detecting, communicating about, and learning from security events.
Nexma operates a 24/7 on-call rotation. Security-relevant events are triaged within one hour of detection. Customers whose data is affected by a confirmed incident receive direct notification within seventy-two hours of confirmation, regardless of regulatory minimums.
Within fourteen days of resolution we publish a post-mortem to affected customers covering timeline, root cause, customer impact, and the concrete actions we are taking to prevent recurrence. Material incidents are also summarized on the public status page.
Report a security concern to security@nexma.ai. Live availability and incident history are published at status.nexma.ai.
Need our SOC 2 readiness letter, a signed DPA, or a security questionnaire response? Send a short note and a sales engineer will follow up.