Skip to content
exune

Built so your auditors don't have to take our word for it.

Cryptographic, not procedural. The audit chain, the HSM signatures, the WORM receipts — they exist independently of Nexune. Hand them to your auditor; they can verify with off-the-shelf tools.

SOC 2
Evidence maintained · Type II planned 2026
ISO 27001
Planned
GDPR-ready
DPA available · deletion on request
India DPDP-aware
Data residency options · DPDP-aligned handling

Four guarantees the architecture makes

Each one is enforced in code and verifiable from outside — not a policy document.

Keys stay on the device

BitLocker recovery passwords are escrowed device-side to the destination tenant — they never transit or rest in our control plane.

WORM-notarized audit chain

Every action lands in a tamper-evident audit record your auditor can verify independently.

SQL row-level security

Your data is isolated at the database layer — enforced on every query, not just in app code.

Cryptographic approval gates

No production change happens without a signed approval.

The architecture, in detail

Six layers, from identity to data residency. Full architecture documentation available under NDA.

Identity

AAD multi-tenant. Delegated tokens. No long-lived secrets.

We never hold a consented client secret for a customer's tenant. Every Microsoft Graph call is made under a per-user delegated token, refreshed by the operator's session. Per-tenant tokens live in Azure Key Vault, isolated per (customer, pair, side).

Tenancy isolation

SQL Server Row-Level Security on every per-customer table.

SQL row-level security, enforced below the application. Filtering and blocking rules on every per-customer table scope each query to your workspace, and the customer boundary is stamped on every database connection — not just in application code.

Audit chain

Hash-chained, HSM-signed, WORM-notarized — every 60 seconds.

Every audit entry is cryptographically linked to the one before it, so tampering is detectable. A background service signs and seals each per-customer batch with an Azure Key Vault HSM signature every 60 seconds and uploads it to immutable Blob storage with a 7-year locked policy.

Approval cryptography

Production change is gated by HSM signatures over a canonical manifest.

Every wave approval is RS256-signed by an Azure Key Vault Premium HSM. The versioned kid is stamped on the receipt. Approvals expire after 24 hours, and each signature can only be redeemed once. Two-approver gate for waves above 100 devices, with SoD enforced.

Key management

Azure Key Vault Premium HSM for signing. Per-customer KV for tenant tokens.

Signing keys never leave the HSM boundary. Tenant tokens are stored as version-pinned secrets so retrieve sees exactly what we stored. Key rotation is operator-initiated; the new kid carries forward on the next notarization receipt.

Data residency

UK South today. Customer-elected regions for enterprise.

The single Nexune-hosted region today is Azure UK South. Enterprise customers can request a dedicated region (a dedicated deployment provisioned in your own region). All in-flight data is TLS 1.3; data at rest is AES-256.

Every action emits a portable, verifiable receipt

Your auditor doesn't need access to our infrastructure. They need this receipt and a public key. The blob URI is immutable. The signature is RS256.

audit-receipt.json — abridged
1{
2 "customerId": "c_3f9a2b…",
3 "batchHead": "0x7c9a1d…",
4 "prevHash": "0x5b88f2…",
5 "thisHash": "0x91d44e…",
6 "signedAt": "2026-05-19T04:21:00Z",
7 "kid": "kv-premium/keys/audit-2026/2",
8 "signature": "MEUCIQDk…RS256/PKCS#1v1.5",
9 "wormBlobUri": "https://nx.blob…/c_3f9a2b/2026/05/19/0421Z.json",
10 "immutability":"locked-7y"
11}

Sub-processors

Microsoft Azure, and a short named list.

Compute, storage, key management, message bus, transactional email, and telemetry run inside Microsoft Azure. Two named third parties sit outside it: Stripe processes billing, and Netlify serves these public pages — neither touches customer or device data. We don't share customer data with any SaaS for marketing, analytics, or advertising.

Full list with regions and data categories — Sub-processors. DPA on request — security@nexune.in.

Disclosure

If you find something, tell us.

Email security@nexune.in with a description and steps to reproduce. We acknowledge within 24 hours and triage within 72. Coordinated disclosure window is 90 days. We don't run a bug bounty yet — we'll publish one with the SOC 2 audit in 2026.

PGP key on request.

Want the threat model?

The full mitigation matrix maps every identified threat to a code-level mitigation. Available under NDA.