Nexvendo security and privacy posture.
Consolidated reference document covering how we host, protect, and govern customer data. Written for procurement officers and security reviewers; mirrors what's published across /privacy, /dpa, /cookies, and /for-distributors.
Document version 1.0 ยท Last updated 2026-06-03 ยท Next scheduled review: annually or upon material change
1. Company
2. Infrastructure and hosting
All production infrastructure is hosted in the European Union, primarily in Frankfurt, Germany. We do not initiate transfers of personal data outside the European Economic Area in the course of normal operations.
Sub-processors
- SupabasePostgres database, file storage, authenticationFrankfurt, Germany (eu-central-1)
- VercelApplication hosting, serverless functions, cron jobsEU regions
- ResendTransactional email delivery and inbound email webhookEU regions
- StripePayment processing and subscription billingEU regions (Ireland for EU customers)
- NordicwayDNS hosting and domain registrationDenmark
Each sub-processor processes personal data under a written Data Processing Agreement with equivalent obligations to those Nexvendo commits to its customers. The sub-processor list is published at /privacy; customers receive 30 days' notice of any addition or replacement.
3. Data security
Encryption in transit
TLS 1.2+ enforced on all client-to-server and server-to-server traffic. HSTS enabled on production domains. Modern cipher suites only; legacy SSL and TLS 1.0/1.1 are not accepted.
Encryption at rest
Database and Storage encryption at rest is provided by Supabase's underlying infrastructure (AWS-managed encryption). Distributor credentials (SFTP and HTTPS feed authentication) are additionally encrypted by our application layer using AES-256-GCM with a master key held in environment variables outside the database. A read-only database dump would not reveal usable distributor credentials.
Tenant isolation
Every tenant-owned table enforces Postgres Row-Level Security policies tied to a tenant identifier on every row. Queries from one tenant cannot reach another tenant's rows at the database level, regardless of application-layer bugs. Storage paths are namespaced by tenant identifier with no shared paths.
Authentication
Customer authentication is magic-link email via Supabase Auth โ no passwords stored or transmitted. Session cookies are HttpOnly, Secure, SameSite=Lax. Admin access uses the same mechanism with additional admin-membership gating at the application layer.
4. Access control
Least privilege
Production database access uses three role layers: service-role for application backend operations (bypasses RLS but only callable from server-side code with the secret key), authenticated for user-scoped reads via RLS policies, anon for unauthenticated reads (denied on every tenant-owned table).
Founder-team access
The founder team has service-role access to production for operational and support purposes. Direct database access is logged through the application layer where possible. Access is limited to what is necessary for the support request or incident at hand.
API keys
Customer-issued API keys are stored as SHA-256 hashes only. The plaintext value is shown once at creation and never recoverable. Keys can be revoked instantly via the portal; revocation takes effect on the next request.
Audit logging
Sensitive actions on tenant data โ customer deletions, feed configuration changes, billing events, GDPR requests, API key lifecycle, manual uploads โ are logged to an append-only audit table. Tenants can read their own log at /portal/audit.
5. Backup and disaster recovery
6. Vulnerability management
Code changes flow through pull-request review with automated dependency vulnerability scanning. Infrastructure security tooling provided by Supabase and Vercel is enabled at the platform level. Critical vulnerabilities affecting production are patched within 7 days of disclosure; high-severity within 30 days.
We do not currently maintain a public bug bounty programme. Security reports are accepted at info@nexvendo.com and acknowledged within one business day.
7. Incident response
A documented data breach response procedure governs incident detection, triage, containment, supervisory authority notification, customer notification, and post-incident review. GDPR Article 33 requires notification to the supervisory authority within 72 hours of awareness; we commit to faster than that for material incidents affecting customer data, and to notifying affected customers within 24 hours of detection.
Current operational state is published in real time at /status. Material incidents receive a public post-mortem on the status page with timeline, root cause, and remediation.
8. Privacy posture (GDPR)
Roles
Nexvendo acts as controller for personal data we collect directly (account data, communication, usage telemetry, billing). We act as processor for personal data that customers upload or generate in the platform (their B2B customer contacts, quote line items, etc.).
Lawful basis
Each processing activity has an enumerated lawful basis under GDPR Article 6 โ performance of contract (most activities), legal obligation (tax/bookkeeping records, supervisory authority requests), legitimate interest (limited to operational monitoring and security telemetry). Detailed per-activity records are maintained in our internal Records of Processing Activities document.
Data subject rights
Signed-in users can exercise the right to data portability (Art. 20) and the right to erasure (Art. 17) directly from /portal/privacy. Other rights and requests from users without an account are handled by email to info@nexvendo.com. We respond within 30 days as required by Art. 12(3).
Data Processing Agreement
Our standard DPA applies automatically when customers accept the Terms of Service and is available at /dpa. Enterprise customers requiring a negotiated DPA are accommodated on request.
Cookies and analytics
Nexvendo uses only strictly necessary cookies and localStorage โ authentication, locale preference, cookie-consent record. We do not run Google Analytics, Vercel Analytics, Plausible, Hotjar, advertising pixels, or any other third-party analytics or tracking. Detailed cookie inventory at /cookies.
9. Operational practices
10. Certifications and audits
Nexvendo is not currently certified to ISO 27001 or SOC 2. We have the technical and organisational controls in place that those frameworks measure against; formal certification is on our roadmap as we onboard public-sector customers requiring it.
For procurement processes that require a formal report today, we can complete reasonable security questionnaires (CAIQ, SIG Lite, custom) within one Nordic business week of receiving them. Email info@nexvendo.com to start.
11. Contact for security matters
Security reports, security questionnaires, procurement reviews, and incident disclosures all go to info@nexvendo.com. We acknowledge within one Nordic business day and respond substantively within five business days, faster for incidents.