Encryption everywhere
TLS 1.2+ on every public endpoint with HSTS preloaded. AES-256 for data at rest across Postgres, Redis, and object storage. Virtual keys are SHA-256 hashed — the plaintext is shown exactly once.
Trust Center
The trust center your procurement team will ask for
Security posture, compliance status, data protection, and every legal document — in one place. We are honest about what is available today and what is still in progress. No vendor-questionnaire roulette.
trust · posture · contract
Current trust posture
RLS-protected tables22 / 22
USING (true) policies0
Master-key surfaceisolated
SOC 2 (NemoRouter-level)in progress
DPA / SCCs / AUPpublished
Questionnaire turnaround1 business day
TLS 1.3AES-256GDPRHIPAA-eligible
- RLS-protected tables
- 22 / 22
- Uptime SLA
- 99.9%
- Doc turnaround
- 1 day
- Customer LLM auth
- 0 master
Tenant isolation enforced at the database
Backed by managed Cloud Run + Supabase
DPA, SCCs, questionnaires — one business day
Virtual keys only — never the master key
The controls security teams audit for — and where each one stands
- SOC 2-alignedControls active
- GDPRCompliant
- HIPAABAA eligible
- ISO 27001-alignedControls active
- Postgres RLSEnforced
- CSP + HSTSEnforced
Security posture
How we keep prompts, keys, and spend safe
The six guarantees every Nemo Router customer gets from day one — not features behind an Enterprise tier, but invariants enforced by tests that block merges.
Tenant isolation by default
Row-Level Security on all 22 Nemo tables. Cross-tenant reads are impossible at the database layer — not discouraged, denied. No "USING (true)" policies anywhere in the schema.
Virtual keys, never the master
Customer LLM traffic only ever authenticates with virtual keys (sk-nemo-…) — rate-limited, budget-capped, revocable. Master keys are reserved for internal management CRUD.
Hardened request path
Every request flows Frontend → Nemo Backend → in-process router. Auth, RLS scope, credit reserve+settle, and guardrails all run on the same hop. There is no shortcut path to a provider.
Audit-grade observability
Every administrative action, key change, and budget event is logged with the actor, source IP, payload diff, and timestamp. Exportable as CSV or JSON for SIEM ingestion.
Guardrails on every request
PII redaction, prompt-injection detection, secret scanning, abuse blocking, and response scanning run on every prompt and completion — included on every plan, never gated.
For the full architecture — request flow, RLS deep-dive, and the reserve+settle credit model — read the security page.
Compliance status
Honest about what we hold — and what we don't yet
We will never put a certification badge on a framework we have not earned. Here is exactly where each one stands.
In progress
SOC 2 Type II
NemoRouter operates SOC 2-aligned security, availability, and confidentiality controls today — encryption, access control, change management, audit logging, tenant isolation. A formal SOC 2 Type II observation period is underway; the audited report is targeted for Q3 2026. Our infrastructure substrate (Google Cloud Run, Supabase) is already SOC 2 Type II certified.
In progress
ISO/IEC 27001
Information security management practices aligned to ISO/IEC 27001 Annex A controls — asset management, access control, cryptography, operations security, supplier relationships. A formal ISO 27001 certification is on the roadmap; the infrastructure substrate (Cloud Run, Supabase) is independently ISO 27001 certified.
Controls active
GDPR
Compliant with the EU General Data Protection Regulation. Data Processing Addendum available for signature, EU Standard Contractual Clauses with subprocessors, data-subject access and erasure tooling built into the dashboard, and EU data residency available on Enterprise.
Available on request
HIPAA
NemoRouter supports HIPAA-eligible workloads. A Business Associate Agreement (BAA) is available for healthcare customers processing protected health information — request one through the Enterprise team. PII redaction guardrails run on every request at no extra cost.
Available on request
PCI DSS
NemoRouter never touches raw cardholder data. All payments are processed by Stripe, a PCI DSS Level 1 certified service provider; card numbers are tokenized client-side and never reach our servers or database. Your PCI scope for using NemoRouter is therefore minimal.
Controls active
Data residency
Pin where customer data is processed and stored. US is the default footprint; EU residency is generally available on Enterprise, with UK, Canada, Australia, Singapore, and India available on request for residency-sensitive workloads.
On the record
A formal NemoRouter-level SOC 2 Type II audit is in progress — it is not complete, and we do not market a certificate we have not earned. The infrastructure we run on (Google Cloud Run, Supabase) is independently SOC 2 Type II and ISO 27001 certified today. Until our own audit closes, request a controls walkthrough or a completed questionnaire and we will deliver it within one business day.
Data protection
The control catalog, measure by measure
The table auditors ask to see. No marketing fluff between the rows.
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+, HSTS preloaded on the apex domain |
| Encryption at rest | AES-256 across Postgres, Redis, and object storage |
| Database isolation | Row-Level Security on every Nemo table (22 / 22) |
| API key storage | SHA-256 hashed; plaintext shown once at creation |
| Authentication | JWT via Supabase Auth with service-role isolation |
| Credit safety | Reserve + settle under Postgres advisory locks |
| Data retention policy | Per-org: zero / metadata / full / PII-redacted |
| Request log retention | 90 days, auto-purged daily; longer on Enterprise |
| Financial records | 7 years, retained for legal obligation |
| PII handling | Microsoft Presidio redaction guardrail, on by default |
Data residency
Pin where your data lives
Customer data is replicated within a single region. We default to US; EU residency is available on Enterprise for residency-sensitive workloads.
United States (us-central1)
At-rest encryption · in-region backups
US East (Virginia)
At-rest encryption · in-region backups
European Union (europe-west4)
At-rest encryption · in-region backups
EU North (Stockholm)
At-rest encryption · in-region backups
United Kingdom (London)
At-rest encryption · in-region backups
Canada (Montréal)
At-rest encryption · in-region backups
Australia (Sydney)
At-rest encryption · in-region backups
Singapore
At-rest encryption · in-region backups
India (Mumbai)
At-rest encryption · in-region backups
Need a region pinned for your tenant? Email sales@nemorouter.ai.
Documents
Available right now, no gate
Linked directly — open them, send them to your auditor, attach them to a ticket. Nothing here requires a sales call.
Available now
Data Processing Agreement
Standard DPA covering EU/EEA processing, SCCs for cross-border transfers, and a security exhibit.
Open
Available now
Service Level Agreement
99.9% uptime target with service credits for missed minutes. Custom SLA on Enterprise.
Open
Available now
Acceptable Use Policy
What you can build on Nemo Router, what is never permitted, and how the policy is enforced.
Open
Available now
Subprocessor list
The exact third parties involved in delivering the service, with 14-day change notification.
Open
Available now
Security architecture
How encryption, RLS, virtual keys, guardrails, and the audit trail fit together — the engineering detail.
Open
Available now
Compliance overview
Framework-by-framework scope, status, and the control catalog auditors ask to walk through.
Open
Available now
Privacy Policy
What data we collect, why, how long we keep it, and the data-subject rights you can exercise.
Open
Available now
Terms of Service
The master agreement that governs use of Nemo Router for self-serve and team accounts.
Open
Available now
Service status
Live availability for the gateway, auth, billing, and providers — plus incident history.
Open
On request
Sent within one business day
Some documents need to know who is asking. Email the security or legal team and you will have what you need fast — reviewed by a human, not a portal.
On request
Security questionnaire response
Send your CAIQ, SIG, or custom questionnaire. We complete it manually and return it within one business day.
On request
Controls walkthrough
A 30-minute call where your security team and auditor get the same answers we give our engineers.
On request
Business Associate Agreement (BAA)
For organizations processing PHI on an Enterprise plan. Reviewed and signed within 5 business days.
On request
Custom MSA & security exhibit
When procurement needs paper on their template, our legal team works from yours.
We complete security questionnaires manually — no Whistic or Conveyor portal in the loop. That means every answer is reviewed by the engineer who owns the control, and you get a response within one business day. Start the request from our contact page.
Subprocessors
The third parties in the path — published, with notice
We publish the exact list of subprocessors involved in delivering the service and notify customers 14 days before adding a new one.
Infrastructure
Google Cloud (Cloud Run, Vertex AI) and Supabase host compute and data — both SOC 2 Type II certified.
Billing & email
Stripe handles all payment data (PCI DSS Level 1); transactional email runs through a dedicated authenticated sender.
Model providers
LLM requests are routed to upstream providers. We manage all provider keys — customers never configure them.
Get in touch
Talk to the security team
Report a vulnerability, request documentation, or book a controls walkthrough. We acknowledge security reports within 48 hours.
Security team
security@nemorouter.ai
Questionnaires · vuln reports · controls walkthroughs
Legal team
legal@nemorouter.ai
DPA · BAA · custom MSA · subprocessor questions
CloudAct Inc.
100 S Murphy Ave
STE 200 PMB4013
Sunnyvale, CA 94086
United States
+1 (850) 988-7471
FAQ
Common procurement questions
Something not covered? Ask us directly from the contact page.
Security review · 30 minutes
Bring your auditor — they will get the same answers we give the engineers
No NDA to start, no sales gate. Send your questionnaire, book a controls walkthrough, or request a signed DPA.