Enterprise-Grade Security
NEXUS DSP is built with enterprise-grade security. Here's how we keep your delivery intelligence safe.
Only You Can See Your Data
Your organisation's data is completely isolated from every other DSP on the platform. Your managers can only see their assigned stations. No one — not even other NEXUS DSP customers — can access your information.
- •Row-Level Security (RLS) enforced at the database level on every table
- •Multi-tenant isolation verified by automated scripts
- •Organisation-scoped queries — every API request filtered by your org ID
- •Station-level access control — managers restricted to assigned stations only
Your Data is Encrypted
Everything you upload and store on NEXUS DSP is encrypted — both when it's moving between your browser and our servers, and when it's stored. Even if someone intercepted the data, they couldn't read it.
- •TLS 1.3 encryption for all data in transit
- •AES-256 encryption at rest (via Supabase on AWS infrastructure)
- •Strict Transport Security (HSTS) enforced — browsers forced to use HTTPS
- •DMARC email authentication — prevents domain spoofing of @nexusdsp.ai
- •No sensitive data stored in browser localStorage or cookies
Files Are Processed Safely
When you upload Amazon reports, they're processed in isolated secure containers — not in your browser. This means even if a file contained something malicious, it couldn't affect your computer or anyone else's.
- •All file parsing runs server-side in isolated Trigger.dev containers
- •Magic byte validation — files are checked for authenticity, not just file extension
- •HTML reports sanitised before processing — scripts, iframes, and event handlers stripped
- •File size limits enforced (10 MB per file across all report types)
- •Formula injection protection on all data exports
Strong Account Protection
Your account is protected by two-factor authentication, Cloudflare Turnstile bot detection, automatic session timeouts, and rate limiting. If someone tries to guess your password, they'll be locked out — and bots can't even reach the login form.
- •Rate limiting on all API endpoints — tiered by operation type (standard, strict, upload)
- •Cloudflare Turnstile bot protection on all auth pages (login, signup, password reset)
- •Leaked credentials detection — blocks login attempts using known stolen passwords (via Cloudflare)
- •Automatic session timeout after period of inactivity
- •Passwords hashed with bcrypt (never stored in plain text)
- •Role-based access control: Owner, Manager, Viewer
- •Two-Factor Authentication (TOTP) available — works with Google Authenticator, Microsoft Authenticator, and Authy
- •Invitation-only team access — additional users must be invited by the account owner
Everything is Logged
Every action on the platform is recorded — who logged in, who uploaded data, who viewed reports, and when. If something goes wrong, we can trace exactly what happened. You can review these logs yourself from the Audit Log page.
- •Comprehensive audit trail: logins, uploads, exports, settings changes
- •IP address and user agent recorded for every action
- •Severity-coded events (info, warning, critical)
- •Admin-accessible audit log viewer with filters
- •90-day retention with automated cleanup
- •Responsible disclosure program — security.txt published at /.well-known/security.txt
Built on Trusted Infrastructure
NEXUS DSP runs on the same cloud infrastructure trusted by millions of businesses worldwide. Our hosting providers hold the highest security certifications.
- •Cloudflare WAF (Web Application Firewall) — managed rulesets blocking OWASP Top 10, SQLi, XSS
- •Cloudflare DDoS protection — network and application layer mitigation
- •Cloudflare Bot Fight Mode — automated bot detection and blocking
- •Vercel (frontend hosting) — SOC 2 Type II certified
- •Supabase (database) — SOC 2 Type II certified, built on AWS
- •Trigger.dev (background processing) — isolated container execution
- •Stripe (payments) — PCI DSS Level 1 certified
- •Sentry (error monitoring) — SOC 2 Type II certified
- •Automated dependency scanning via GitHub Dependabot — vulnerabilities flagged within 24 hours
- •All infrastructure hosted in EU/UK regions
We Follow the Rules
NEXUS DSP complies with UK data protection law (UK GDPR) and the Data Protection Act 2018. We only process the data you upload, we don't sell it, and you can request deletion at any time.
- •UK GDPR and Data Protection Act 2018 compliant
- •Registered with the Information Commissioner's Office (ICO)
- •Operated by VELLOX LTD (Company No. 17136312), registered in England and Wales
- •NEXUS DSP™ is a registered trademark of VELLOX LTD
- •Data Processing Agreement (DPA) — download at nexusdsp.ai/NEXUS_DSP_Data_Processing_Agreement.pdf
- •Data retained only while your account is active
- •Right to deletion — request full data removal at any time
- •No data sold to third parties — ever
- •Cyber Essentials certified (IASME Consortium, April 2026)
- •Cookie Policy published at nexusdsp.ai/cookies
Security Timeline
Have security questions?
We're happy to walk through our security measures or provide additional documentation for your compliance team.
security@nexusdsp.ai