§ I · StanceThe self-test.
We help companies pass audits, govern AI, and answer the hardest security questions their buyers can throw at them. It would be embarrassing: and disqualifying: to do that work without holding ourselves to the same bar.
If we wouldn't accept this answer from a client’s vendor, we don’t accept it from ourselves.
What follows is honest. We are a small, senior firm. We do not yet hold third-party SOC 2 or ISO 27001 attestations: we will, on a published timeline. In the meantime, this page describes what we actually do, not what we plan to do. If you need a control mapped that isn’t listed, ask us.
§ II · AlignmentCertifications & alignment.
- SOC 2 Type I: targeted Q4 2026; readiness against the 2017 TSC, security & confidentiality scope.
- SOC 2 Type II: following Type I, observation period beginning Q1 2027.
- ISO/IEC 27001:2022: ISMS scoped to professional services delivery; certification audit targeted 2027.
- NIST CSF 2.0: we self-assess annually against the six functions (Govern, Identify, Protect, Detect, Respond, Recover).
- NIST SP 800-171 r3: alignment for any engagement involving CUI; we hold no current contracts that require SPRS scoring.
Until our first attestation lands, we provide an internal SOC 2 readiness package on request to qualified prospects under NDA: SSP-equivalent, control matrix with evidence, asset inventory, sub-processor list, and most recent internal review. Email [email protected].
§ III · ControlsThe control set.
Summary: not exhaustive. Mapped to TSC and ISO/IEC 27001:2022 Annex A.
CC6.1 · A.5.15
Identity & access
Phishing-resistant MFA (FIDO2 / WebAuthn) on every account that touches customer data. SSO to identity provider. Quarterly access reviews. No shared accounts. Hardware-key-only access for admin tier.
CC6.7 · A.8.24
Encryption
TLS 1.2+ (1.3 preferred) for all data in transit. AES-256 at rest on every endpoint. Full-disk encryption mandatory. Email encryption when transmitting client evidence; portal-based handoff for anything sensitive.
CC6.6 · A.8.23
Endpoint security
Managed laptops only. EDR with active monitoring. OS patching within 14 days for critical, 30 days for high. Application allow-listing on admin endpoints. Disk encryption verified on every onboarding.
CC7.2 · A.8.16
Logging & monitoring
Centralized log aggregation. Identity provider, endpoint, mail, and document-platform events forwarded to a single pane. 90-day hot retention; 1-year cold. Alerts for impossible-travel, MFA changes, admin role grants, anomalous data export.
CC2.2 · A.6.3
People & awareness
Background check before access to client data. Annual security & privacy training. Quarterly phishing exercises. Documented offboarding within 24 hours of separation, with credential and device revocation.
CC9.2 · A.5.19
Vendor / sub-processor management
Written DPA with every sub-processor that touches personal data. Annual review of security posture (SOC 2 / ISO / equivalent). New sub-processors gated through a documented review. Public list at
§ V.
CC7.4 · A.5.24
Incident response
Documented IR plan with defined severities, notification timelines (incl. 72-hour for data-affecting events), runbook, and exercises. Senior practitioner on call. Counsel pre-engaged for breach scenarios.
A1.2 · A.5.30
Resilience & backups
Daily backups for working data, 30-day retention, periodic restore tests. Documented RPO/RTO. Cloud-native primary; nothing critical depends on a single workstation.
CC8.1 · A.8.32
Change management
All website changes via version control; code review before merge. Environment separation between draft and production. Signed deploys. No direct production edits.
CC6.8 · A.8.12
Data minimization
We do not collect what we do not need. No analytics pixels. No session-replay. Form data retained 24 months from last contact. Engagement evidence kept per the engagement contract; deleted on schedule.
§ IV · DataHow we handle client data.
During an engagement, you may share with us policies, system descriptions, screenshots of consoles, evidence of control operation, and (rarely) extracts of personal data needed to validate a control. We treat all of it as confidential under the engagement NDA / DPA.
- Storage. Engagement data lives in a per-client workspace inside our document platform. Access is limited to the practitioner team on the engagement. Inherited from the platform's SOC 2 / ISO posture.
- Transmission. Client portal preferred. Email accepted only for non-sensitive material; nothing PHI / CHD / classified ever moves through email.
- Local copies. Practitioners do not store client material on personal devices. Local working copies on managed laptops are encrypted at rest and synced back to the workspace.
- Deletion. At engagement close, evidence retention follows the contract. Default: 7 years for professional-liability and tax purposes, then secure deletion. We provide a deletion certificate on request.
- AI tools. We use AI for drafting and synthesis on a managed plan with the “no-training-on-customer-data” commitment in the agreement. We do not paste raw client evidence into consumer AI tools. Ever.
§ V · Sub-processorsWho we rely on.
We disclose every sub-processor that may handle personal data on our behalf. Updates to this list are posted at least 30 days before a new sub-processor begins handling personal data. To request the current named list with vendor identities and DPAs, email [email protected] from a verified business address.
Function
Region
Basis & safeguards
Cloud infrastructure (website hosting)Hosting nexurion.io and form back-end
United States
DPA in place · ISO 27001 / SOC 2 · TLS in transit, AES-256 at rest
Email (transactional & newsletter delivery)Inquiry replies and Field Notes send
United States
DPA · SOC 2 · DKIM/SPF/DMARC enforced · suppression-list integrity
Identity providerSSO & MFA for the firm
United States
DPA · SOC 2 · ISO 27001 · WebAuthn / FIDO2 enforced for admins
Document & collaboration platformEngagement workspaces, evidence storage
United States
DPA · SOC 2 · ISO 27001 / 27017 / 27018 · per-client workspace isolation
Endpoint security (EDR)Managed laptops
United States
DPA · SOC 2 · telemetry retention scoped, no client artifact ingest
Calendar / bookingScoping-call scheduling
United States
DPA · SOC 2 · only name, email, and time slot
AI drafting platform (managed plan)Editorial drafting only; no raw client evidence
United States
DPA · no-training commitment · zero-data-retention option enabled where available
§ VI · IRIncident response.
We maintain a documented IR plan with severity definitions, notification timelines, runbooks for common scenarios (account compromise, data exfiltration, supply-chain compromise, ransomware), and a counsel-engaged playbook for breach. The plan is reviewed annually and exercised at least once per year.
- Detection. Centralized logging plus alerts on identity-provider, endpoint, and document-platform anomalies.
- Triage. A senior practitioner is paged on every Sev-1 / Sev-2. We do not triage through a junior queue.
- Notification. Affected clients notified without undue delay; for events involving personal data, within 72 hours where required by law or contract.
- Containment & recovery. Documented runbooks, with a written post-incident review and corrective-action plan for any Sev-1 / Sev-2.
- Counsel. Breach counsel is pre-engaged to preserve privilege from the first hour of any data-affecting event.
§ VII · DisclosureCoordinated disclosure.
If you have found a vulnerability in a Nexurion-operated service or asset, thank you. We welcome good-faith reports and will not pursue legal action against researchers who follow this policy.
In scope
nexurion.io and its sub-domains- Email infrastructure (SPF / DKIM / DMARC misconfiguration, open relays)
- Documented supply-chain vulnerabilities affecting Nexurion-distributed content
Out of scope
- Third-party platforms we use as sub-processors (report directly to them)
- Social-engineering attempts against our personnel
- Volumetric / DoS testing
- Findings requiring physical access to the office
- Self-XSS, missing security headers without a demonstrable exploit, automated-scanner output without analysis
How to report
- Email [email protected]: encrypt with our PGP key (below) for sensitive findings.
- Provide enough detail to reproduce: URL, request, expected vs. actual behavior, screenshots if helpful.
- Do not access, modify, or exfiltrate data beyond what is needed to demonstrate the issue.
- Give us a reasonable window before public disclosure: we target acknowledgement within 3 business days and remediation within 90 days for high-severity findings.
We do not currently run a paid bounty. We do publish acknowledgements (with permission) and will provide a written attestation of your finding for your portfolio.
§ VIII · DiligenceSecurity questionnaires & due diligence.
We complete reasonable security questionnaires for procurement and audit purposes free of charge. Common formats supported: SIG-Lite, CAIQ, custom enterprise questionnaires up to roughly 200 questions. Beyond that, we ask buyers to share a free-form list of their critical concerns; we’ve found this faster and more accurate than line-by-line completion of a 1,200-row spreadsheet.
We do not sign blank Business Associate Agreements, blanket data-processing addenda, or open-ended subject-matter-jurisdiction clauses. If your standard form includes such a provision, our counsel will negotiate it; that’s normal, not friction.
Email: [email protected]
Mail: Nexurion, LLC · Attn: Security · 111 Speen Street, 2nd Floor · Framingham, MA 01701 · USA
For sensitive reports, please encrypt to our PGP key. Fingerprint and key on request to [email protected]; published key block coming with the SOC 2 Type I package.