Security & Trust Center

Every action logged. Every decision auditable.

NXπ is EU AI Act-ready, SOC 2-aligned, and built on zero-trust principles. We designed for the regulated enterprise from day one - not as a compliance checkbox, but as an architectural invariant.

Compliance & Certifications

Regulatory readiness built into the product, not bolted on afterward.

EU AI Act

Ready

High-risk system requirements met. Transparency, human oversight, and audit logging built-in. Deadline: Aug 2, 2026.

SOC 2 Type II

In progress

Controls framework implemented. Audit period in progress. Report available Q3 2025.

GDPR

Ready

Data residency controls, right-to-erasure workflow, and Data Processing Agreement available.

HIPAA

Available

PHI controls and audit logging. Self-hosted deployment option ensures data never leaves your perimeter.

SOX

Ready

Append-only audit trail, financial process controls, segregation of duty enforcement through RBAC.

ISO 27001

Aligned

Information security management framework alignment. Formal certification roadmap in 2025.

Security Architecture

Zero-trust from the first request to the last audit log entry.

Zero-trust access

Every request is authenticated and authorized. Per-user RBAC with label-based policies. MCP server scoping ensures agents can only access tools they are explicitly permitted to use.

PII detection & masking

Presidio-powered PII detection runs on every prompt before it reaches any LLM. Names, emails, financial identifiers, and health data are detected and masked. The original data stays in your store.

Append-only audit logs

Every agent action, tool call, and decision is written to an append-only, cryptographically chained log in your PostgreSQL. Logs are queryable but immutable. Your regulators can verify every decision.

Context window compaction

Sensitive conversation history is compacted and summarized at configurable intervals. Raw prompt content does not accumulate indefinitely in the context window.

Data Sovereignty

Choose where your data lives. The platform is identical across all deployment modes.

Self-hosted

Data never leaves your network
Local Ollama - no external LLM calls
Customer-owned PostgreSQL
Air-gap compatible
On-premises HSM for key management

Private cloud

Your VPC, your keys, your control
AWS / Azure / GCP private endpoints
Customer-managed encryption keys
VPC-only egress - no public internet
Managed databases within your account

Hybrid

Self-hosted data layer + cloud inference
You choose what crosses the boundary
Prompt/response only - no raw data to LLM
Flexible model routing per use case
Gradual migration path to full self-hosting

Subprocessors

All external processing is optional. Every subprocessor can be eliminated with self-hosted or private-cloud deployment.

Subprocessor	Purpose	Region	Data processed
Vercel	Hosting (optional - can self-host)	US / EU	Web traffic, no business data
Anthropic	LLM inference (optional - can use Ollama)	US	Masked prompts only
OpenAI	LLM inference (optional)	US	Masked prompts only
Google	Gemini inference (optional)	US / EU	Masked prompts only

This list is illustrative. A complete, up-to-date subprocessor list is available upon request or within your DPA.

Vulnerability Disclosure

We operate a responsible disclosure program. If you discover a security vulnerability in NXπ, please report it to us privately before any public disclosure. We commit to acknowledging reports within 24 hours and providing a remediation timeline within 72 hours.

security@nxpi.ai Request DPA

Subprocessor

Purpose

Region

Data processed

Vercel

Hosting (optional - can self-host)

US / EU

Web traffic, no business data

Anthropic

LLM inference (optional - can use Ollama)

Masked prompts only

OpenAI

LLM inference (optional)

Masked prompts only

Google

Gemini inference (optional)

US / EU

Masked prompts only