Protecting customer data
is part of the build.
Nodeblue handles operational data for industrial facilities and the enterprises around them. We treat security as engineering work, written down, reviewed, and tested, not as a compliance afterthought.
Where we stand
- On premise and air gap capable by default
- Encrypted at rest (AES 256) and in transit (TLS 1.2+)
- Foundational connectors are open source and auditable on GitHub
- Customer data is isolated by tenant and never used to train models
Four pillars
we hold the program to.
Reliable, secure infrastructure
Workloads run on hardened infrastructure with continuous monitoring, encrypted storage, and network controls scoped to least privilege. Production access is logged, scoped, and reviewed.
Procedures and controls
Written policies cover access, change management, vendor review, and incident response. Reviews and audits run on a defined cadence rather than ad hoc.
Secure people and access
Background checks for engineers with production access, mandatory security training, authentication backed by hardware keys, and immediate offboarding when roles change.
Data privacy
Customer data is treated as the customer's data. We minimize what we collect, isolate it by tenant, and align our handling with GDPR and CCPA principles.
Your data
stays yours.
The most defensible data is the data that never leaves your control. Nodeblue is built to keep it that way, which is why defense, utilities, and pharma can run it at all.
- On premise by default
- Nexus can run entirely inside your network, air gapped, with a persistent memory of the operation held on premise. No cloud dependency is required to use it.
- No training on your data
- Your operational data is never used to train shared models. The engine is deterministic, not a model fed by your site, so your process knowledge stays yours.
- Tenant isolation
- In hosted deployments every customer's data is logically isolated and never commingled with another customer's.
- Minimal collection
- We collect what the work requires and nothing we cannot justify. Less data held is less data exposed.
- Retention on your terms
- You decide what is kept and for how long. We support access, correction, and deletion requests and remove data when you ask.
What we do day to day
to keep data safe.
Encryption
TLS 1.2+ in transit. AES 256 at rest. Secrets managed in dedicated vaults, never in source.
Identity and access
SSO and SAML for enterprise tenants, enforced MFA, and access scoped by role to least privilege.
Secure SDLC
Peer review on every change, automated dependency scanning, and static analysis in CI before anything ships.
Network isolation
Tenant data is logically isolated. Production VPCs are segmented from corporate networks, with egress denied by default.
Logging and audit
Centralized, tamper evident logs for production access, deploys, and administrative actions. Retained for incident review.
Backups and recovery
Automated backups with periodic restore testing. Documented RPO and RTO targets per environment.
Standards and frameworks
we operate against.
We publish our posture honestly. Some frameworks we are formally aligned to today, others are on the roadmap as the business grows.
SOC 2 Type II
Our controls are modeled on the AICPA Trust Services Criteria. Formal Type II attestation is on the roadmap as customer engagements require it.
ISO/IEC 27001
Information security management aligned to ISO 27001: risk assessment, asset inventory, access control, and continuous improvement.
GDPR
We process personal data under lawful bases, support data subject requests, and use Standard Contractual Clauses for international transfers.
CCPA / CPRA
California residents can request access, deletion, or correction of their personal information through the contacts listed in our Privacy Policy.
HIPAA ready
For healthcare engagements we sign Business Associate Agreements and deploy isolated environments with the administrative, physical, and technical safeguards required.
IEC 62443
Our automation work follows IEC 62443 zones and conduits guidance for OT networks, with segmentation between corporate, control, and safety systems.
Need a specific report or questionnaire? Request our SOC 2 progress, a penetration test summary, or a completed CAIQ under NDA at [email protected].
Who touches the data
behind the scenes.
We use a small set of vetted infrastructure providers. Each is reviewed for security posture and data residency before we onboard them, then reviewed again every year. A current list is available on request under NDA.
Found something?
Tell us first.
If you believe you have found a security vulnerability in any Nodeblue system, report it to us privately so we can fix it before it is exploited. We acknowledge reports quickly and keep you informed as we triage. We do not pursue legal action against research done in good faith that follows the guidelines here.
How to report
- Email [email protected] with details and a proof of concept if you have one.
- Give us a reasonable window to investigate and remediate before public disclosure.
- Do not access, modify, or exfiltrate data beyond what is necessary to demonstrate the issue.
- Do not run automated scanners against production without prior written agreement.
See the research running.
Nexus is the first place our research meets a live operation. Trying it is the clearest way to see what we are building toward.