Security Policy

1. Scope

This policy describes the technical and organisational security controls protecting Nexus Legal — the legal AI platform operated by Quantum Nexus Ventures FZCO. It covers the application, the underlying infrastructure, and the data lifecycle of customer documents and analyses.

2. Infrastructure

• Compute: Railway, region europe-west4 (Netherlands).
• Database and authentication: Supabase, region eu-west-2.
• Vector stores: Weaviate (EU) for case-law corpora; pgvector inside Supabase for statute embeddings.
• Data residency: all client data infrastructure remains in the European Union. No replication or backup is sent to non-EU regions.
• Monitoring: Sentry (EU region) for application error tracking.

3. Encryption

• At rest: AES-256 on every persistent volume.
• In transit: TLS 1.3 with modern cipher suites.
• Analysis outputs: AES-256-GCM at row level, with per-user key derivation via HKDF-SHA256. Encryption keys never leave the application layer.
• API keys: stored as SHA-256 hashes; never persisted in plain text.
• Secrets management: Railway-native secret store, scoped per environment.

4. Zero Retention

Client documents uploaded for analysis are processed in RAM and automatically discarded at the end of the session. They are never persisted to disk or to the database unless the user explicitly opts in to store the anonymised output. There is no "delete client data" feature because there is no client data to delete by default — this is an architectural property of the pipeline, not a policy that depends on us.

5. PII Gatekeeper

Before any text is sent to an upstream large-language-model provider, the platform replaces personal identifiers — national IDs (DNI/NIE), bank account numbers (IBAN), email addresses, phone numbers — with opaque tokens. The model audits structure on tokenised text; the original identity never crosses the boundary. Every redaction is recorded in the audit log with timestamp and field type.

6. Access control

• RBAC: roles author / reviewer / approver / admin with progressive privileges.
• Row-Level Security: total isolation between firms enforced at the database layer.
• IP allowlist: per API key, per organisation.
• SAML 2.0 SSO: infrastructure complete, activates per Enterprise contract. Compatible with Okta, Azure AD, Google Workspace, OneLogin, Ping Identity and any standard SAML 2.0 IdP.
• Session management: short-lived JWTs, refresh-token rotation, server-side revocation.

7. Auditing and logging

All sensitive operations are recorded in an append-only audit log: analysis access, export, configuration changes, billing operations, GDPR rights requests. No user can modify or delete entries. Minimum retention: 3 years.

Every completed analysis is cryptographically sealed with a SHA-256 hash of the final output, an ISO 8601 timestamp and an HMAC signature using a per-organisation key. Any post-issuance tampering breaks verification.

8. Incident response

The full incident response playbook is published at /legal/incident-response with severity levels P1 to P4 and committed response times. Headline commitments: response on an active data breach in less than 1 hour; customer notification within 24 hours; authority notification within 72 hours (GDPR Art. 33). Reports go to security@nexusquantum.legal.

9. Penetration testing

External penetration testing is contracted annually. First scheduled test: Q3 2026. Executive summaries are available to Enterprise customers under NDA.

10. SOC 2 Type II program

Nexus Legal operates with the technical and organisational controls required for SOC 2 Type II (Trust Service Criteria: Security, Availability, Confidentiality). Active control registers since May 2026:

• Vendor register — risk assessment of each infrastructure provider.
• Risk register — inventory of threats, likelihood, impact and mitigation plan.
• Incident log — autonomous, append-only record of every security incident.
• Change log — traceability of every production change.

The formal certification process is under way. Observation period planned for Q3-Q4 2026; report expected Q1 2027. Enterprise customers can request the full control evidence pack (vendor register, risk register, policies, audit logs) under NDA at security@nexusquantum.legal.

11. Responsible disclosure

Security researchers who find a vulnerability can write to security@nexusquantum.legal with subject "Responsible Disclosure". We acknowledge within 72 hours and provide a remediation timeline within 7 days. We do not pursue legal action against good-faith researchers.

12. Authoritative version

This document is authoritative in English. Translations may be provided for convenience but the English text governs.