Security Policy

1. Our Security Commitment

We implement industry-standard security practices across all aspects of our work — from the tools we use to how we handle client credentials. Security is not an afterthought; it is built into every automation we design and every system we deploy.

2. Data Security Measures

• All data in transit is encrypted using TLS 1.2 or higher
• Sensitive credentials and API keys are stored in encrypted vaults, never in plain text
• We use role-based access control — team members only access data relevant to their work
• Regular security reviews of our internal tools and infrastructure
• Multi-factor authentication (MFA) enforced on all internal accounts
• Automated monitoring for suspicious access patterns

3. Client System Access

• We request only the minimum permissions necessary for project delivery
• All access credentials are stored in enterprise-grade password managers
• Client system access is revoked immediately upon project completion unless support is ongoing
• We document all systems accessed and the reason for access
• We never share client credentials outside the project team
• Screen recording and logging is used when accessing sensitive systems

4. Automation Security Standards

• All API connections use OAuth 2.0 or equivalent secure authentication where available
• Webhook endpoints are secured with secret tokens and signature verification
• Error logs are sanitized to exclude sensitive data before storage
• Rate limiting is implemented on all publicly accessible automation endpoints
• Input validation is enforced on all user-facing automation forms
• Sensitive data is masked or encrypted within workflow payloads

5. Vendor and Third-Party Security

We carefully evaluate the security practices of third-party tools before integrating them into client workflows. We prefer vendors with SOC 2 Type II certification, clear data processing agreements, and proven security track records.

6. Incident Response

• We maintain a documented incident response plan
• Security incidents are assessed within 1 hour of detection
• Affected clients are notified within 24 hours of a confirmed security incident
• Post-incident reports are provided within 5 business days
• All incidents are logged and reviewed to prevent recurrence

7. Employee Security Practices

• All team members complete security awareness training
• Devices used for client work are encrypted and have remote wipe capability
• We use VPNs when accessing client systems from non-office locations
• Team members sign confidentiality and security agreements
• Offboarding procedures ensure immediate revocation of all access

8. Responsible Disclosure

If you discover a security vulnerability in our website or services, please report it responsibly to contact@nexiva.dev. We commit to acknowledging your report within 48 hours, investigating promptly, and keeping you informed of our progress. We do not pursue legal action against good-faith security researchers.

9. Business Continuity

Critical client automation workflows are documented and backed up. We maintain redundancy for key infrastructure components and have recovery procedures to restore services in the event of a disruption.