Skip to main content
NNexvendo
โ† Back home
Security overview ยท for procurement review

Nexvendo security and privacy posture.

Consolidated reference document covering how we host, protect, and govern customer data. Written for procurement officers and security reviewers; mirrors what's published across /privacy, /dpa, /cookies, and /for-distributors.

Document version 1.0 ยท Last updated 2026-06-03 ยท Next scheduled review: annually or upon material change

1. Company

Legal entity
Nexvendo ApS, a Danish private limited company (Anpartsselskab)
Registered office
Copenhagen, Denmark
CVR number
Registration pending โ€” to be inserted when issued
Primary contact
info@nexvendo.com (responses within one Nordic business day)
Supervisory authority
Datatilsynet (Denmark) ยท datatilsynet.dk

2. Infrastructure and hosting

All production infrastructure is hosted in the European Union, primarily in Frankfurt, Germany. We do not initiate transfers of personal data outside the European Economic Area in the course of normal operations.

Sub-processors

  • Supabase
    Postgres database, file storage, authentication
    Frankfurt, Germany (eu-central-1)
  • Vercel
    Application hosting, serverless functions, cron jobs
    EU regions
  • Resend
    Transactional email delivery and inbound email webhook
    EU regions
  • Stripe
    Payment processing and subscription billing
    EU regions (Ireland for EU customers)
  • Nordicway
    DNS hosting and domain registration
    Denmark

Each sub-processor processes personal data under a written Data Processing Agreement with equivalent obligations to those Nexvendo commits to its customers. The sub-processor list is published at /privacy; customers receive 30 days' notice of any addition or replacement.

3. Data security

Encryption in transit

TLS 1.2+ enforced on all client-to-server and server-to-server traffic. HSTS enabled on production domains. Modern cipher suites only; legacy SSL and TLS 1.0/1.1 are not accepted.

Encryption at rest

Database and Storage encryption at rest is provided by Supabase's underlying infrastructure (AWS-managed encryption). Distributor credentials (SFTP and HTTPS feed authentication) are additionally encrypted by our application layer using AES-256-GCM with a master key held in environment variables outside the database. A read-only database dump would not reveal usable distributor credentials.

Tenant isolation

Every tenant-owned table enforces Postgres Row-Level Security policies tied to a tenant identifier on every row. Queries from one tenant cannot reach another tenant's rows at the database level, regardless of application-layer bugs. Storage paths are namespaced by tenant identifier with no shared paths.

Authentication

Customer authentication is magic-link email via Supabase Auth โ€” no passwords stored or transmitted. Session cookies are HttpOnly, Secure, SameSite=Lax. Admin access uses the same mechanism with additional admin-membership gating at the application layer.

4. Access control

Least privilege

Production database access uses three role layers: service-role for application backend operations (bypasses RLS but only callable from server-side code with the secret key), authenticated for user-scoped reads via RLS policies, anon for unauthenticated reads (denied on every tenant-owned table).

Founder-team access

The founder team has service-role access to production for operational and support purposes. Direct database access is logged through the application layer where possible. Access is limited to what is necessary for the support request or incident at hand.

API keys

Customer-issued API keys are stored as SHA-256 hashes only. The plaintext value is shown once at creation and never recoverable. Keys can be revoked instantly via the portal; revocation takes effect on the next request.

Audit logging

Sensitive actions on tenant data โ€” customer deletions, feed configuration changes, billing events, GDPR requests, API key lifecycle, manual uploads โ€” are logged to an append-only audit table. Tenants can read their own log at /portal/audit.

5. Backup and disaster recovery

Production backups
Daily backups with point-in-time recovery, 35-day retention
Storage replication
Multi-AZ replication within the EU region
RPO target
24 hours under normal conditions
RTO target
8 business hours for material incidents
Tested recovery
Founder-team performs a manual recovery test annually; documented incident response procedure governs major events

6. Vulnerability management

Code changes flow through pull-request review with automated dependency vulnerability scanning. Infrastructure security tooling provided by Supabase and Vercel is enabled at the platform level. Critical vulnerabilities affecting production are patched within 7 days of disclosure; high-severity within 30 days.

We do not currently maintain a public bug bounty programme. Security reports are accepted at info@nexvendo.com and acknowledged within one business day.

7. Incident response

A documented data breach response procedure governs incident detection, triage, containment, supervisory authority notification, customer notification, and post-incident review. GDPR Article 33 requires notification to the supervisory authority within 72 hours of awareness; we commit to faster than that for material incidents affecting customer data, and to notifying affected customers within 24 hours of detection.

Current operational state is published in real time at /status. Material incidents receive a public post-mortem on the status page with timeline, root cause, and remediation.

8. Privacy posture (GDPR)

Roles

Nexvendo acts as controller for personal data we collect directly (account data, communication, usage telemetry, billing). We act as processor for personal data that customers upload or generate in the platform (their B2B customer contacts, quote line items, etc.).

Lawful basis

Each processing activity has an enumerated lawful basis under GDPR Article 6 โ€” performance of contract (most activities), legal obligation (tax/bookkeeping records, supervisory authority requests), legitimate interest (limited to operational monitoring and security telemetry). Detailed per-activity records are maintained in our internal Records of Processing Activities document.

Data subject rights

Signed-in users can exercise the right to data portability (Art. 20) and the right to erasure (Art. 17) directly from /portal/privacy. Other rights and requests from users without an account are handled by email to info@nexvendo.com. We respond within 30 days as required by Art. 12(3).

Data Processing Agreement

Our standard DPA applies automatically when customers accept the Terms of Service and is available at /dpa. Enterprise customers requiring a negotiated DPA are accommodated on request.

Cookies and analytics

Nexvendo uses only strictly necessary cookies and localStorage โ€” authentication, locale preference, cookie-consent record. We do not run Google Analytics, Vercel Analytics, Plausible, Hotjar, advertising pixels, or any other third-party analytics or tracking. Detailed cookie inventory at /cookies.

9. Operational practices

Code review
All production code changes pass through pull-request review
Deployment
Continuous deployment to Vercel from the main branch with automatic rollback on health-check failure
Secret management
Production secrets stored in Vercel encrypted environment variables; never committed to source control
Onboarding/offboarding
Founder team only at current scale; access revocation procedure documented in incident response plan
Personal devices
Production credentials are not stored on personal devices in plaintext; password manager is required

10. Certifications and audits

Nexvendo is not currently certified to ISO 27001 or SOC 2. We have the technical and organisational controls in place that those frameworks measure against; formal certification is on our roadmap as we onboard public-sector customers requiring it.

For procurement processes that require a formal report today, we can complete reasonable security questionnaires (CAIQ, SIG Lite, custom) within one Nordic business week of receiving them. Email info@nexvendo.com to start.

11. Contact for security matters

Security reports, security questionnaires, procurement reviews, and incident disclosures all go to info@nexvendo.com. We acknowledge within one Nordic business day and respond substantively within five business days, faster for incidents.