Skip to content
exune

Trust center

Trust isn't a page. It's the substrate.

The organization-wide posture: what's certified, what's tested, what's planned, and who to contact. The platform security itself — hash-chained audit, HSM approvals, WORM receipts, database-enforced isolation — is documented in depth on the product page. We'd rather tell you what isn't done yet than imply it is.

Platform security documentation

How customer data is isolated at the database layer, encrypted, cryptographically approved, and audited — the foundation every Nexune product is built on — is documented in depth on the product security page.

Certifications & compliance

We publish status honestly — nothing is listed here as done until it is.

Evidence maintained

SOC 2

A live control matrix maps controls already built in code and infrastructure to the SOC 2 Trust Services Criteria, each with an evidence anchor. It is an honest starting point for a Type I/II engagement — planned for 2026 — not an attestation, and it lists the gaps an auditor will flag.

Planned

ISO 27001

Planned, not yet started. We will publish the certificate here when we hold it — and not before.

Tested resilience & honest availability

Backups aren't backups until you've restored one — and a status page shouldn't show a green light it can't back.

Tested backups: RTO 11m28s, RPO ≤10m

A real point-in-time restore drill against the live database measured a restore time of 11 min 28 s and a recovery point of ≤ 10 min, with the restored copy verified row-for-row. Continuous log backups give a 7-day restore window. Two honest caveats: that time was measured on a small dataset and is a floor, not a promise at scale; and region-loss (geo-restore) recovery is a separate exercise we have not yet run. We re-run the drill quarterly.

Availability is watched, not assumed

A deep-readiness endpoint probes the database, Key Vault, and Blob storage on every check. A synthetic web test hits it from three regions; alerts fire on readiness failure, on a 5xx spike, and on a discovery/wave failure spike, routed to on-call. We verified the pipeline with a deliberate synthetic failure — the alert fired in 5 min 15 s. A public, externally-hosted status page is on the roadmap; until it's live we won't show a green light we can't back.

Sub-processors: a short named list

Compute, database, key management, message bus, transactional email, and telemetry run inside Microsoft Azure. Stripe processes billing; Netlify serves these public pages. Nothing else touches customer or device data.

GDPR- and India-DPDP-aligned

We act as processor on the customer's documented instructions. Our Data Processing Addendum covers GDPR Article 28 and India DPDP with Standard Contractual Clauses appended; see also the privacy policy. One gap we're honest about: an engineered right-to-erasure workflow is still being designed (audit WORM data is intentionally immutable under a documented lawful basis).

Disclosure & security documents

Found a vulnerability? Email security@nexune.in with steps to reproduce — we acknowledge within 24 hours and triage within 72 (90-day coordinated disclosure). The same address gets you the DPA, the sub-processor list, the SOC 2 control matrix, the restore-drill results, and the PGP key. We don't run a bug bounty yet — we'll launch one alongside the SOC 2 audit.

Everything an auditor asks for, in one thread.

The DPA, sub-processor list, SOC 2 control matrix, and restore-drill results — ask and we route it same-day.