Security Whitepaper

We operate an Information Security Management System (ISMS) aligned with ISO/IEC 27001:2022. The CEO holds executive accountability; a designated security lead manages day-to-day operations. The Board reviews security posture quarterly.

Primary hosting is on Amazon Web Services in the London region (eu-west-2). We inherit AWS's SOC 2 Type II and ISO 27001 certifications for the underlying infrastructure. Production is segregated by VPC; biometric data (Capture footage) is stored in a dedicated VPC with separate KMS keys.

• At rest: AES-256 with AWS KMS-managed keys. Per-tenant envelope encryption for personal data.
• In transit: TLS 1.3 only. HSTS preloaded.
• Biometric / Capture footage: separate KMS realm, hardware-backed keys.

• Mandatory MFA on every internal account.
• Role-based access control with least-privilege defaults.
• Just-in-time elevation for production access, with audit log.
• SSO via approved IdPs for enterprise customers on request.

We have learned from the wave of supply-chain and data-exfiltration incidents across the AI data industry. Our specific controls:

• All third-party packages pinned by hash (npm integrity attributes; lockfile committed).
• LLM gateway dependencies isolated in a sandboxed egress namespace.
• Dependency provenance scanning (SLSA-style attestations where available).
• No internal production secrets in source repositories; secrets managed by AWS Secrets Manager.

• Quarterly external penetration testing by a CREST-accredited provider.
• Continuous SCA, SAST, and DAST scanning in CI.
• CVSS triage SLA: critical 24h, high 7d, medium 30d, low 90d.
• Coordinated disclosure programme: security@nxted.ai; PGP key on request.

We maintain a documented incident response plan with role assignments, escalation paths, and customer communication templates. We commit to:

• Internal containment within 4 hours of detection of a confirmed incident.
• Customer notification within 48 hours of confirming an incident that affects your data.
• ICO notification within 72 hours where required by Article 33 UK GDPR.
• A written post-mortem within 30 days for any customer-affecting incident.

• Background checks for staff within applicable legal limits in the UK and India.
• Mandatory security training at onboarding; refresher annually.
• Contributors complete a security primer before access to any client data.

Every sub-processor undergoes a security review and DPIA. The list is in our DPA. We require sub-processors to meet at least equivalent technical and organisational measures.

• Daily encrypted backups to a separate AWS region.
• RPO 24 hours; RTO 8 hours for the application tier.
• Disaster recovery tested at least twice a year.

SOC 2 Type II report targeted for Q4 2026. ISO/IEC 27001 certification targeted for 2027. Cyber Essentials Plus targeted before first UK public-sector engagement.