$5 free credits when you sign up
Trust Center

Compliance, in plain language and on the record

Frameworks we hold, frameworks we are landing, and the documents your auditor needs. No vendor-questionnaire roulette — every answer is here.

Request documentationRead the security architecture
Frameworks
4

SOC 2-aligned, GDPR, HIPAA, PCI (delegated)

Controls
Continuous

Enforced by tests + RLS, not periodic audits

DPA + SCCs
Available

Sent within 24 hours of request

Subprocessors
Published

14-day notification on changes

Frameworks our controls align to

  • SOC 2-alignedActive
  • GDPRCompliant
  • HIPAAEligible
  • PCI DSSDelegated
  • ISO 27001-alignedActive
  • CCPACompliant
Frameworks

What every framework covers

Status, scope, and what we ship to support the audit.

SOC 2-aligned controls

Security, availability, and confidentiality controls aligned to SOC 2 trust criteria — encryption, access control, audit logging, change management — enforced continuously by tests and RLS, not by periodic audit cycles. Underlying infrastructure (Cloud Run, Supabase) is SOC 2 Type II certified. We do not pursue a formal NemoRouter-level Type II audit at this stage.

  • Encryption at rest (AES-256) + in transit (TLS 1.2+)
  • Postgres RLS on every Nemo table — tenant isolation at the database
  • Immutable audit trail with actor + IP + diff on every administrative action
  • Controls walkthrough + vendor questionnaire response on request (security@)

GDPR

Full compliance with the General Data Protection Regulation for EU/EEA data subjects. DPA, SCCs, data subject rights, EU residency on Enterprise.

  • Data Processing Agreement (DPA) — sent within 24 hours of request
  • Standard Contractual Clauses (SCCs) for international transfers
  • Data subject rights: access, erasure, portability, restriction
  • Configurable data retention (zero / metadata / full / PII-redacted)

HIPAA Eligible

Business Associate Agreement (BAA) available for healthcare organizations on Enterprise plan. PHI-aware guardrails, audit logging, encryption end-to-end.

  • BAA available — review + sign within 5 business days
  • PHI-aware redaction via Microsoft Presidio guardrail
  • Audit logging for all data access events
  • EU + US-only data routing options

PCI DSS · Delegated

Payment card data is handled entirely by Stripe (PCI DSS Level 1). No card numbers ever touch NemoRouter servers — tokenization is the only contact point.

  • Stripe handles all PCI-scoped data
  • Zero card data stored or processed by NemoRouter
  • Stripe Elements + tokenization for every payment flow
  • Webhook signature verification on every Stripe event
Controls

Data protection — measure by measure

The control catalog auditors ask to see, in one table. No marketing fluff between the rows.

MeasureImplementation
Encryption in transitTLS 1.2+ (HSTS preloaded)
Encryption at restAES-256 across Postgres, Redis, object storage
Database isolationRow-Level Security on every Nemo table
API key storageSHA-256 hashed; plaintext shown once
AuthJWT via Supabase Auth + service-role isolation
Credit safetyReserve+settle with Postgres advisory locks
Data retentionConfigurable per-org (zero / metadata / full / redacted)
Log retention90 days, auto-purged daily; longer on Enterprise
Financial records7 years (legal obligation)
Legal documents

The papers your auditor will ask for

Data Processing Agreement (DPA)

Standard DPA covering EU/EEA processing, SCCs for cross-border transfers, sub-processor list, and security exhibit. Pre-signed copy available on request.

Read the DPA

Service Level Agreement (SLA)

99.9% uptime target with credits for missed minutes. Enterprise customers get a custom SLA with priority response times and dedicated incident channels.

Read the SLA

Acceptable Use Policy (AUP)

What you can build on top of NemoRouter, what we never permit, and how we enforce it. Short, plain-language, and stable.

Read the AUP

Subprocessors

The exact list of third parties involved in delivering the service. We notify customers 14 days before adding a new subprocessor.

See the list

Request

Need something specific?

SOC 2 reports, signed DPAs, BAAs, vendor questionnaires, and security exhibits go to qualified organizations on request. We respond within one business day.

Security team

security@nemorouter.ai

SOC 2 reports · vendor questionnaires · pen-test summaries

Legal

legal@nemorouter.ai

DPA · BAA · custom MSA · subprocessor questions

Trust, in writing

Send your security questionnaire — we will return it

One inbox, one team, one business-day SLA. Bring your auditor along on the kickoff call.

Talk to securitySee the SLA