01 · Transport
Encryption in transit.
All connections use TLS 1.2+. API endpoints, dashboard access, and log ingestion are encrypted end-to-end. No exceptions, no plaintext fallback.
We build a SIEM. Security isn't a feature we bolt on, it's the foundation we ship on. Here's exactly how we protect your data and our platform, down to the vendor list.
Multiple layers of controls protect every interaction with our platform. Each one is independently enforced.
All connections use TLS 1.2+. API endpoints, dashboard access, and log ingestion are encrypted end-to-end. No exceptions, no plaintext fallback.
Sensitive data including credentials and API keys is encrypted at rest using AES-256-GCM before it ever touches storage.
All API input is validated in Rust. Serde enforces JSON shape, strong types (UUIDs, enums) handle primitives, and per-handler rules reject bad values before they hit the database. SQL injection is closed at compile-time via sqlx parameterized queries.
Cross-site request forgery protection is enforced on all state-changing API endpoints with token-based validation.
Every tenant environment is isolated at the infrastructure level, with dedicated compute and storage. No shared clusters, no cross-tenant query paths.
Each organization gets its own dedicated infrastructure, whether a Kubernetes namespace with isolated compute and network policies, or a single-tenant VPS. No shared resources between tenants.
Infrastructure is provisioned via automated pipelines with no manual access. Kubernetes clusters and VPS instances are spun up on demand, fully reproducible and auditable.
Higher tiers run on Kubernetes with health checks, auto-restarts, and horizontal pod autoscaling. Hobby and Startup tiers run on dedicated VPS instances with Docker Compose for simplicity and cost efficiency.
All administrative actions are captured in structured audit logs with timestamps, actor identity, and affected resources. Exportable on demand for compliance reviews.
Strong authentication, rate limiting, and credential management protect every account. Nothing trusts anything else by default.
Short-lived sessions with automatic expiry. Sessions are invalidated on password change and on suspicious activity, with re-auth required for sensitive operations.
API rate limits are enforced per organization to prevent abuse and ensure fair resource allocation across tenants. Limits scale with your plan.
All inbound webhooks (Stripe, GitHub, partners) are cryptographically verified before processing to prevent spoofing and replay attacks.
Cloud provider credentials are encrypted per-organization and never exposed in API responses or logs. Secrets live in a separate KMS, not in the application database.
On self-hosted plans, your data never leaves your cloud. On managed plans we run dedicated infrastructure per tenant, isolated and encrypted, never shared. Either way, we treat it with the same rigor we'd expect from our own security tools.
Security logs are stored in dedicated ClickHouse instances with per-tenant isolation. No cross-tenant data access is possible at the query layer.
Choose your deployment region, whether self-hosted or managed. Data stays in the region you select and is never replicated to other geographies.
Your security data is yours. We never sell, share, or use customer data for training models or any other purpose. Ever. It's in the contract.
When you delete your account or data, it is permanently removed from all storage systems within the retention window. Verifiable on request.
We're transparent about our compliance journey. Here's what's active, what's in progress, and what we're planning. No marketing claims, no asterisks.
We are working toward SOC 2 Type II certification. Our infrastructure and processes are being designed with SOC 2 controls in mind from day one. Statement of applicability available under NDA.
We follow GDPR principles: data minimization, purpose limitation, right to deletion, and transparent data processing. EU data stays in EU regions. Read our DPA.
We maintain a responsible disclosure policy and welcome security researchers to report vulnerabilities. Contact security@nano.rs. We respond within 48 hours.
We evaluate the security posture of all third-party vendors and services. Payment processing is handled by Stripe with PCI DSS compliance. Vendor list below.
Which vendors touch your data depends on how you deploy. Toggle between Managed and Self-hosted to see exactly who's involved.
Your tier determines which infrastructure provider is used. Only one row in the infrastructure section applies to your deployment.
| Vendor | Purpose | Data processed |
|---|---|---|
| All deployments | ||
| Stripe | Payment processing | Billing info, payment methods, invoices |
| Google Cloud | Container registry | Container images (nano application images) |
| Cloudflare | DNS, CDN, security, transactional email | DNS records, dashboard traffic, DDoS protection, notification email addresses |
| Infrastructure (varies by tier) | ||
| Hetzner | Managed infrastructure (Hobby, Startup, Growth) | Compute workloads, log ingestion & storage |
| Civo | Managed infrastructure (Team+) | Compute workloads, log ingestion & storage |
| AWS | Managed infrastructure (Business+) | Compute workloads, log ingestion & storage |
| Google Cloud | Managed infrastructure (Business+) | Compute workloads, log ingestion & storage |
| ClickHouse Cloud | Managed log storage (Enterprise) | Security log data |
Your log data never leaves your cloud account. nano only processes platform metadata (auth, billing, config).
| Vendor | Purpose | Data processed |
|---|---|---|
| All deployments | ||
| Stripe | Payment processing | Billing info, payment methods, invoices |
| Google Cloud | Container registry | Container images (nano application images) |
| Cloudflare | DNS, CDN, security, transactional email | DNS records, dashboard traffic, DDoS protection, notification email addresses |
| Your infrastructure | ||
| Your cloud provider | Self-hosted infrastructure | All log data stays in your cloud account. nano never touches it. |
Sub-processor list is reviewed quarterly. Material changes are communicated 30 days in advance via email to organization admins.
Trust pages are easy to write. Open source code is harder. Both are here, both are real.
Security questionnaires welcomed. DPA available on request.