Security is our product
We build a SIEM — security isn't a feature, it's our foundation. Here's how we protect your data and our platform.
Defense in depth
Multiple layers of security controls protect every interaction with our platform.
Encryption in Transit
All connections use TLS 1.2+. API endpoints, dashboard access, and log ingestion are encrypted end-to-end.
Encryption at Rest
Sensitive data including credentials and API keys are encrypted at rest using AES-256 before storage.
Input Sanitization
All user input is validated with Zod schemas. Webhook payloads, API requests, and form data are strictly validated before processing.
CSRF Protection
Cross-site request forgery protection is enforced on all state-changing API endpoints with token-based validation.
Isolated by design
Every tenant environment is isolated at the infrastructure level with dedicated compute and storage.
Isolated Tenant Environments
Each organization gets its own Kubernetes namespace with dedicated compute, storage, and network policies. No shared resources between tenants.
Automated Provisioning
Infrastructure is provisioned via automated pipelines with no manual access. Environments are reproducible and auditable.
Kubernetes-Native
All workloads run on Kubernetes with health checks, auto-restarts, and horizontal pod autoscaling for availability.
Structured Audit Logs
All administrative actions are captured in structured audit logs with timestamps, actor identity, and affected resources.
Controlled access
Strong authentication, rate limiting, and credential management protect every account.
Session Management
Short-lived sessions with automatic expiry. Sessions are invalidated on password change and suspicious activity.
Organization-Based Rate Limiting
API rate limits are enforced per organization to prevent abuse and ensure fair resource allocation across tenants.
Webhook Validation
All inbound webhooks (Stripe, GitHub) are cryptographically verified before processing to prevent spoofing.
Credential Isolation
Cloud provider credentials are encrypted per-organization and never exposed in API responses or logs.
Your data, your control
We treat customer data with the same rigor we'd expect from our own security tools.
ClickHouse for Log Storage
Security logs are stored in dedicated ClickHouse instances with per-tenant isolation. No cross-tenant data access is possible.
Data Residency
Choose your deployment region. Data stays in the region you select and is never replicated to other geographies.
No Data Selling
Your security data is yours. We never sell, share, or use customer data for training models or any other purpose.
Secure Deletion
When you delete your account or data, it is permanently removed from all storage systems within the retention window.
Where we stand
We're transparent about our compliance journey. Here's what's active and what's in progress.
We are working toward SOC 2 Type II certification. Our infrastructure and processes are being designed with SOC 2 controls in mind from day one.
We follow GDPR principles: data minimization, purpose limitation, right to deletion, and transparent data processing. EU data stays in EU regions.
We maintain a responsible disclosure policy and welcome security researchers to report vulnerabilities. Contact security@nano.rs.
We evaluate the security posture of all third-party vendors and services. Payment processing is handled by Stripe with PCI DSS compliance.
Third-party vendors
We use a limited set of trusted third-party services. Here's exactly who processes your data and why.
Ready to hunt?
Get started in minutes. No credit card. No sales call.