Designed with security in mind
Nimbus was designed to be run on your infrastructure. It's lightweight, doesn't phone home, and can be completely air-gapped.
Compliance
Nimbus has achieved its SOC 2 Type 2 certification for three trust service criteria (Security, Availability, and Confidentiality) and is audited annually.
Please contact hello@usenimbus.com for Nimbus' compliance documentation and reports.
Infrastructure security
Nimbus Cloud is built on top of AWS (Amazon Web Services). This means we host our all data and infrastructure on AWS. AWS is the most secure global infrastructure with 24/7 on-site physical and digital security. For more details regarding AWS security, visit https://aws.amazon.com/security/.
Self-hosted users have the flexibility to choose their infrastructure.
Nimbus continually monitors our infrastructure for security vulnerabilities and regularly apply updates.
Policies and procedures
Nimbus has established policies and procedures for the following:
Access Control Policy, Asset Management Policy, Business Continuity and Disaster Recovery Plan, Code of Conduct, Cryptography Policy, Data Management Policy, Human Resource Security Policy, Incident Response Plan, Information Security Policy (AUP), Information Security Roles and Responsibilities, Operations Security Policy, Physical Security Policy, Risk Management Policy, Secure Development Policy, Third-Party Management Policy.
All of these policies are reviewed and accepted by all Nimbus employees. These policies are also reviewed and renewed regularly (at least once per year).
Confidentiality and security training
All Nimbus employees and contractors go through a confidentiality and security training. This is a mandatory requirement and helps ensure our commitment to security.
Nimbus engineering sets a high bar for security. Every code change is reviewed from a security perspective, there are restrictions to prevent use of uncertified software packages, an established set of principles regarding secure systems engineering, and broad testing that includes but is not limited to System Security Testing, Acceptance Testing, Penetration Testing, etc.
Data protection
All data accessed by Nimbus employees is accessed through a secure cloud environment. Data access is monitored and limited to teams with a business requirement.
Nimbus considers the following information to be confidential: any and all customer data, company financial data, strategic plans, incident reports, risk assessment reports, technical vulnerability reports, authentication credentials, secrets and private keys, and source code.
Confidential data is subject to the following protection and handling requirements: Access for non-preapproved-roles requires documented approval from the data owner, access is restricted to specific employees, roles and/or departments, confidential systems shall not allow unauthenticated access, confidential Customer Data shall not be used or stored in non-production systems/environments, confidential data shall be encrypted in transit over public networks, hard drives and mobile devices used to store confidential information must be securely
wiped prior to disposal or physically destroyed, transfer of confidential data to people or entities outside the company shall only be done in accordance with a legal contract or arrangement, and the explicit written permission of management or the data owner.