Security & compliance
Built so your auditors don't have to take our word for it.
Cryptographic, not procedural. The audit chain, the HSM signatures, the WORM receipts — they exist independently of Nexune. Hand them to your auditor; they can verify with off-the-shelf tools.
Identity
AAD multi-tenant. Delegated tokens. No long-lived secrets.
We never hold a consented client secret for a customer's tenant. Every Microsoft Graph call is made under a per-user delegated token, refreshed by the operator's session. Per-tenant tokens live in Azure Key Vault, isolated per (customer, pair, side).
Tenancy isolation
SQL Server Row-Level Security on every per-customer table.
ADR-0001. fn_tenant_filter UDF + dbo.tenant_isolation security policy enforces FILTER + BLOCK predicates on 13 per-customer tables. SESSION_CONTEXT('customer_id') is stamped on every connection by an EF Core interceptor. Background workers explicitly bypass under audited scopes.
Audit chain
Hash-chained, HSM-signed, WORM-notarized — every 60 seconds.
ADR-0002. Every audit row has prev_hash + this_hash columns. NotarizationBackgroundService seals each per-customer batch with an Azure Key Vault HSM signature and uploads it to immutable Blob storage with a 7-year locked policy.
Approval cryptography
Production change is gated by HSM signatures over a canonical manifest.
Every wave approval is RS256-signed by an Azure Key Vault Premium HSM. The versioned kid is stamped on the receipt. Approvals ≤ 24h fresh. Replay-defended via consumed_at. Two-approver gate for waves above 100 devices, with SoD enforced.
Key management
Azure Key Vault Premium HSM for signing. Per-customer KV for tenant tokens.
Signing keys never leave the HSM boundary. Tenant tokens are stored as version-pinned secrets so retrieve sees exactly what we stored. Key rotation is operator-initiated; the new kid carries forward on the next notarization receipt.
Data residency
UK South today. Customer-elected regions for enterprise.
The single Nexune-hosted region today is Azure UK South. Enterprise customers can request a dedicated region (Bicep-templated, provisioned per-deployment). All in-flight data is TLS 1.3; data at rest is AES-256.
A receipt looks like this
Every action emits a portable, verifiable receipt.
Your auditor doesn't need access to our infrastructure. They need this receipt and a public key. The blob URI is immutable. The signature is RS256.
1{2 "customerId": "c_3f9a2b…",3 "batchHead": "0x7c9a1d…",4 "prevHash": "0x5b88f2…",5 "thisHash": "0x91d44e…",6 "signedAt": "2026-05-19T04:21:00Z",7 "kid": "kv-premium/keys/audit-2026/2",8 "signature": "MEUCIQDk…RS256/PKCS#1v1.5",9 "wormBlobUri": "https://nx.blob…/c_3f9a2b/2026/05/19/0421Z.json",10 "immutability":"locked-7y"11}
Sub-processors
Microsoft Azure. That's it.
All compute, storage, key management, message bus, and identity services run inside Microsoft Azure. We don't share customer data with any third-party SaaS for marketing, telemetry, or analytics. Email and (when enabled) Teams notifications go through Azure-native services on your behalf, not ours.
Full Data Processing Addendum available on request — security@nexune.in.
Disclosure
If you find something, tell us.
Email security@nexune.in with a description and steps to reproduce. We acknowledge within 24 hours and triage within 72. Coordinated disclosure window is 90 days. We don't run a bug bounty yet — we'll publish one with the SOC 2 audit in 2026.
PGP key on request.
Want the threat model?
The full mitigation matrix maps every threat (T-001 through T-030+) to a code-level mitigation. Available under NDA.