Nerve Core
The Company AI Brain
 Home
Trust

Security at Nerve Core

Last updated May 27, 2026

Nerve Core is built to handle business knowledge and brand-shaping content. That makes security a daily discipline, not a checkbox. This page describes how we protect customer data, secure the platform, and respond when something goes wrong.

1. Principles

We operate the platform under four security principles:

  • Least privilege. Access is granted only to those who need it for a defined business reason and is removed when that reason ends.
  • Defense in depth. No single control is enough. We layer technical, procedural, and contractual controls.
  • Default secure. New features ship with logging, encryption, and access controls enabled.
  • Customer ownership. Customer content remains the customer's property. We do not use customer content to train public foundation models.

2. Infrastructure

The platform runs on managed cloud infrastructure operated by Vercel, Railway, and Cloudflare. These providers maintain SOC 2 Type II and other independent certifications for their underlying physical and network security. Production environments are isolated from staging and development by network and account boundaries.

3. Encryption

  • In transit. All connections to the site and the platform are encrypted using TLS 1.2 or higher. HTTP requests are redirected to HTTPS. HSTS is enabled.
  • At rest. Production databases, object storage, and backups are encrypted at rest using AES-256 or stronger algorithms managed by the underlying cloud provider.
  • Secrets. Credentials, API keys, and tokens are stored in a managed secret store and are never committed to source control.

4. Access controls

  • Production access requires single sign-on with multi-factor authentication.
  • Role-based access controls restrict who can read or modify customer data, billing records, and infrastructure.
  • Privileged actions are logged and reviewed.
  • Access is reviewed at least quarterly and revoked promptly when an employee or contractor changes role or leaves.

5. Application security

  • Code is reviewed before merging to the main branch.
  • Dependencies are continuously scanned for known vulnerabilities and patched on a defined cadence.
  • Common web risks (OWASP Top 10) are addressed through framework-level protections, input validation, parameterized queries, output encoding, and content security policies.
  • The platform uses session-bound CSRF tokens and short-lived authentication tokens.
  • Webhook and API endpoints validate signatures where applicable.

6. Monitoring and logging

We collect application, infrastructure, and security logs to detect anomalies, investigate incidents, and demonstrate compliance. Logs are retained for a reasonable period and access is restricted to authorized personnel.

7. Vendor management

We review subprocessors before onboarding and re-evaluate them periodically. The current list is published at /subprocessors. Each subprocessor is bound by contractual data-protection terms at least as protective as those in our DPA.

8. AI provider posture

Nerve Core runs prompts through third-party AI providers as a core part of the service. When we send data to those providers:

  • We use API tiers configured for no model training on submitted data, where the provider supports it.
  • We minimize personal data in prompts. We do not knowingly submit sensitive personal data, health data, or government identifiers in prompts.
  • We rely on each provider's published security and compliance posture, which is linked from /subprocessors.

9. Incident response

We maintain a written incident response plan that covers detection, triage, containment, eradication, recovery, customer notification, and post-mortem review. If we confirm a personal-data breach affecting customer data, we notify the affected customer without undue delay and in any case within 72 hours, with the information available at the time.

10. Backups and continuity

Production databases are backed up on a regular schedule. Backups are encrypted and tested periodically. The platform is built on cloud infrastructure with multi-zone redundancy. We design for graceful degradation when an upstream provider has an outage and prioritize keeping read access to dashboards and reports available.

11. People

  • Employees and contractors sign confidentiality agreements before being granted access.
  • Background checks are performed for roles with privileged access, where lawful.
  • Security training is provided at onboarding and refreshed at least annually.
  • Phishing and social-engineering controls include MFA, hardware security keys for sensitive accounts, and reporting workflows.

12. Reporting a vulnerability

We welcome reports from security researchers. If you believe you have found a vulnerability:

  • Email security@nervecore.io with a clear description and steps to reproduce.
  • Give us reasonable time to investigate and remediate before public disclosure.
  • Do not access data that is not your own, degrade the service, or extract data beyond what is necessary to confirm the issue.

We do not currently operate a paid bug bounty. We are happy to acknowledge reporters publicly with permission.

Looking for a security questionnaire response?Email security@nervecore.io with your standard questionnaire (SIG, CAIQ, or your own) and we will return a completed copy under NDA.