Security isn’t a feature.
It’s the foundation.

NxtOne is built on the principle that understanding your system should never compromise its safety. We capture execution semantics — never your source code, business data, or PII.

🔒
TLS 1.3 Encryption
🛡
SOC 2 Type II
🇪🇺
GDPR Compliant
🏛
ISO 27001
AWS Hosted — EU Region
Core Principles

How we think about security.

Three principles guide every architecture decision, data flow, and access control in the platform.

🧬

Semantics, not source code

The NxtOne agent captures execution relationships — method calls, service interactions, data flows. It never reads, transmits, or stores your source code, variable values, or business data. We capture the shape of behavior, not the content.

🔐

Encrypted everywhere

All data is encrypted in transit with TLS 1.3 and at rest with AES-256. API keys are hashed with bcrypt. Secrets are managed via AWS Secrets Manager with automatic rotation. There is no unencrypted path through the system.

🏠

Your data, your control

Choose cloud-hosted or self-hosted deployment. Set data retention policies per tenant. Request full data export or deletion at any time. We never use customer data for model training or any purpose beyond providing the service.

Data Architecture

What flows where.

A transparent view of how execution data moves through the NxtOne platform — what’s captured, what’s filtered, and what’s stored.

Data Flow — Your Application → NxtOne Platform
YOUR APP
Application
Runtime
Semantic events
🔍
AGENT
NxtOne
Agent
TLS 1.3
🛡
FILTER
PII Filter &
Sanitizer
Sanitized
📨
KAFKA
Encrypted
Event Stream
AES-256
GRAPH DATABASE
Knowledge
Graph
Encrypted channel
PII stripped at this stage
Data Handling

What we capture. What we don’t.

Full transparency on exactly what the NxtOne agent collects from your runtime environment.

What we capture

  • Method call relationships (Service A calls Service B)
  • Execution timing and sequence ordering
  • Service names, class names, method signatures
  • Database query patterns (shape, not values)
  • Message queue event types and routing
  • HTTP endpoint paths and status codes
  • Exception types and stack trace structure

What we never capture

  • Source code or file contents
  • Variable values or business data
  • Personally identifiable information (PII)
  • Authentication tokens or credentials
  • Request/response body payloads
  • Database row contents or query results
  • Environment variables or secrets
Encryption

Encryption at every layer.

No shortcuts. Every data path in the NxtOne platform is encrypted with industry-standard algorithms.

TLS 1.3
In-transit encryption
Agent → Collector
AES-256
At-rest encryption
All stored data
bcrypt
API key hashing
Cost factor 12
mTLS
Service-to-service
Internal mesh
KMS
AWS Key Management
Automatic rotation
SHA-256
Webhook signatures
Payload verification
Infrastructure

Hardened from the ground up.

Cloud Infrastructure

  • Hosted on AWS EKS in eu-west-2 (London)
  • Private VPC with no public-facing databases
  • Network policies enforce pod-level isolation
  • Automated security patching via managed node groups
  • DDoS protection via AWS Shield Standard

🔑Access Control

  • Role-based access control (RBAC) for all users
  • SSO via SAML 2.0 and OIDC for enterprise
  • MFA enforced for all internal access
  • API keys scoped per service with expiration
  • Principle of least privilege across all services

📋Audit & Logging

  • Immutable audit logs for all admin actions
  • API access logs with full request metadata
  • Real-time anomaly detection on access patterns
  • 90-day log retention with export capability
  • Integration with SIEM platforms

🧪Vulnerability Management

  • Automated dependency scanning in CI/CD
  • Container image scanning on every build
  • Regular penetration testing by third parties
  • Critical CVE patches within 24 hours
  • Responsible disclosure program
Compliance

Standards and certifications.

Where we are today and what’s on the roadmap. We’re transparent about our compliance journey.

StandardScopeStatus
GDPRData protection for EU users. Data stored in eu-west-2. DPA available on request.Compliant
SOC 2 Type IISecurity, availability, and confidentiality controls. Annual audit.In Progress
ISO 27001Information security management system certification.In Progress
UK Data Protection ActCompliance with UK GDPR equivalent. ICO registration.Compliant
HIPAAHealthcare data handling controls for US enterprise customers.Planned
CCPACalifornia Consumer Privacy Act compliance.Compliant
Responsible Disclosure

Found a vulnerability?

We take security reports seriously and respond within 24 hours. If you’ve discovered a security issue in any NxtOne service, please report it responsibly. We offer a safe harbor policy — good-faith security researchers will never face legal action.

Report a Vulnerability →
Security FAQ

Common security questions.

The agent does access source code as part of its analysis, but it is fully encrypted — no user, including NxtOne personnel, can view your raw source files. This encrypted access allows the agent to build richer semantic execution graphs by correlating runtime behavior with code structure, while ensuring your intellectual property remains protected. Think of it like a flight recorder that understands both the instrument readings and the aircraft's engineering blueprints, but keeps the blueprints locked in a tamper-proof vault.
Yes. We offer a self-hosted deployment option that runs entirely within your Kubernetes cluster. All data stays within your VPC. The self-hosted version includes the same features as the cloud version, with dedicated support for deployment and ongoing maintenance.
Cloud-hosted data is stored in AWS eu-west-2 (London) by default. Enterprise customers can request data residency in specific regions. Self-hosted customers control data locality entirely. We do not replicate data outside your chosen region.
Upon cancellation, you can request a full data export in standard formats. After the export window (30 days), all your data is permanently and irreversibly deleted from our systems, including backups. We provide written confirmation of deletion upon request.
No. We never use customer execution data to train, fine-tune, or improve any AI models. Your data is used exclusively to provide the NxtOne service to your organization. This is a contractual commitment, not just a policy.
The NxtOne agent is designed for production use. Typical overhead is less than 3% CPU and under 50MB of additional memory. The agent uses asynchronous, non-blocking event capture and batched transmission to minimize impact. You can also configure sampling rates to further reduce overhead.

Questions about security?

Our team is happy to walk through our security architecture, compliance posture, or arrange a dedicated security review for your organization.

Talk to Our Team →Read Security Docs