Four guarantees the architecture makes
Each one is enforced in code and verifiable from outside — not a policy document.
Cryptographic, not procedural. The audit chain, the HSM signatures, the WORM receipts — they exist independently of Nexune. Hand them to your auditor; they can verify with off-the-shelf tools.
Each one is enforced in code and verifiable from outside — not a policy document.
BitLocker recovery passwords are escrowed device-side to the destination tenant — they never transit or rest in our control plane.
Every action lands in a tamper-evident audit record your auditor can verify independently.
Your data is isolated at the database layer — enforced on every query, not just in app code.
No production change happens without a signed approval.
Six layers, from identity to data residency. Full architecture documentation available under NDA.
Identity
We never hold a consented client secret for a customer's tenant. Every Microsoft Graph call is made under a per-user delegated token, refreshed by the operator's session. Per-tenant tokens live in Azure Key Vault, isolated per (customer, pair, side).
Tenancy isolation
SQL row-level security, enforced below the application. Filtering and blocking rules on every per-customer table scope each query to your workspace, and the customer boundary is stamped on every database connection — not just in application code.
Audit chain
Every audit entry is cryptographically linked to the one before it, so tampering is detectable. A background service signs and seals each per-customer batch with an Azure Key Vault HSM signature every 60 seconds and uploads it to immutable Blob storage with a 7-year locked policy.
Approval cryptography
Every wave approval is RS256-signed by an Azure Key Vault Premium HSM. The versioned kid is stamped on the receipt. Approvals expire after 24 hours, and each signature can only be redeemed once. Two-approver gate for waves above 100 devices, with SoD enforced.
Key management
Signing keys never leave the HSM boundary. Tenant tokens are stored as version-pinned secrets so retrieve sees exactly what we stored. Key rotation is operator-initiated; the new kid carries forward on the next notarization receipt.
Data residency
The single Nexune-hosted region today is Azure UK South. Enterprise customers can request a dedicated region (a dedicated deployment provisioned in your own region). All in-flight data is TLS 1.3; data at rest is AES-256.
Your auditor doesn't need access to our infrastructure. They need this receipt and a public key. The blob URI is immutable. The signature is RS256.
1{2 "customerId": "c_3f9a2b…",3 "batchHead": "0x7c9a1d…",4 "prevHash": "0x5b88f2…",5 "thisHash": "0x91d44e…",6 "signedAt": "2026-05-19T04:21:00Z",7 "kid": "kv-premium/keys/audit-2026/2",8 "signature": "MEUCIQDk…RS256/PKCS#1v1.5",9 "wormBlobUri": "https://nx.blob…/c_3f9a2b/2026/05/19/0421Z.json",10 "immutability":"locked-7y"11}
Sub-processors
Compute, storage, key management, message bus, transactional email, and telemetry run inside Microsoft Azure. Two named third parties sit outside it: Stripe processes billing, and Netlify serves these public pages — neither touches customer or device data. We don't share customer data with any SaaS for marketing, analytics, or advertising.
Full list with regions and data categories — Sub-processors. DPA on request — security@nexune.in.
Disclosure
Email security@nexune.in with a description and steps to reproduce. We acknowledge within 24 hours and triage within 72. Coordinated disclosure window is 90 days. We don't run a bug bounty yet — we'll publish one with the SOC 2 audit in 2026.
PGP key on request.
The full mitigation matrix maps every identified threat to a code-level mitigation. Available under NDA.