Nimbus Cloud Trust Center

SOC 2 Type II

ISO 27001

GDPR

HIPAA

PCI DSS

CCPA

Security at the Core

At Nimbus Cloud, security isn't an afterthought — it's foundational to every decision we make. We've built our platform on zero-trust principles, with defense-in-depth across every layer of our infrastructure.

We believe transparency builds trust. That's why we make our security controls, compliance posture, and subprocessor relationships fully visible to our customers. When you work with us, you gain access to continuous monitoring, real-time security updates, and a team that treats your data with the same care as our own.

Our commitment: earn your trust every day through action, not claims.

Sarah Chen

Chief Information Security Officer

Quick Summary

Data encrypted at rest (AES-256)

Data encrypted in transit (TLS 1.3)

Multi-factor authentication required

Role-based access control (RBAC)

Single Sign-On (SSO/SAML)

Annual third-party penetration testing

Incident response plan documented

Business continuity & disaster recovery

Security awareness training

Vulnerability management program

Data residency options (US/EU)

Customer data deletion on request

What We Offer

Nimbus Cloud provides enterprise-grade cloud infrastructure with built-in security, compliance automation, and 24/7 monitoring. Our platform serves over 2,500 organizations globally, processing trillions of requests monthly with 99.99% uptime SLA.

Core capabilities include managed Kubernetes clusters, serverless compute, multi-region data replication, DDoS protection, WAF, and integrated compliance tooling for SOC 2, ISO 27001, HIPAA, and PCI DSS environments.

Security Controls

(31)

31 of 31 controls implemented

100%

Access Control5 controls

5/5

Multi-factor authentication enforced for all production access

Implemented

Principle of least privilege applied across systems

Implemented

Access reviews performed quarterly

Implemented

SSO integration with identity providers

Implemented

Automatic access revocation on termination

Implemented

Data Protection5 controls

5/5

All data encrypted at rest using AES-256

Implemented

TLS 1.3 enforced for all data in transit

Implemented

Encryption keys managed by dedicated KMS

Implemented

Data classification policy enforced

Implemented

Backup encryption and offsite replication

Implemented

Infrastructure Security6 controls

6/6

Network segmentation with private VPCs

Implemented

Web application firewall (WAF) deployed

Implemented

DDoS protection on all public endpoints

Implemented

Intrusion detection and prevention (IDS/IPS)

Implemented

Centralized logging with 1-year retention

Implemented

Automated security patching

Implemented

Application Security5 controls

5/5

Static application security testing (SAST) in CI/CD

Implemented

Software composition analysis (SCA)

Implemented

Annual penetration testing by third party

Implemented

Secure code review required for all PRs

Implemented

Dependency vulnerability scanning

Implemented

Operational Security5 controls

5/5

24/7 Security Operations Center (SOC)

Implemented

Documented incident response procedures

Implemented

Business continuity plan tested annually

Implemented

Disaster recovery with RTO < 4 hours

Implemented

Security incident post-mortems published

Implemented

Compliance & Governance5 controls

5/5

SOC 2 Type II audited annually

Implemented

ISO 27001 certified and maintained

Implemented

GDPR Data Processing Agreement (DPA) available

Implemented

Security policies reviewed annually

Implemented

Vendor risk assessments performed

Implemented

Data Collected

(9)

Data TypeCollected

Customer account information (name, email)

Authentication and account management

Subprocessors

(15)

AI & Machine Learning Providers

(3)

We use the following AI and language model providers to deliver AI-powered features. Data sent to these providers is processed according to their privacy policies and our Data Processing Agreements.

NamePurposeLocation

OpenAI

LLM provider for AI-powered search and summarization

United States

OpenAI

LLM provider for AI-powered search and summarization

United States

Anthropic

LLM provider for AI assistant features

United States

Anthropic

LLM provider for AI assistant features

United States

Pinecone

Vector database for semantic search

United States

Pinecone

Vector database for semantic search

United States

Infrastructure & Services

(12)

NamePurposeLocation

Amazon Web Services

Primary cloud infrastructure provider

United States, Ireland

Amazon Web Services

Primary cloud infrastructure provider

United States, Ireland

Cloudflare

CDN, DDoS protection, and WAF

United States

Cloudflare

CDN, DDoS protection, and WAF

United States

Vercel

Frontend hosting and edge functions

United States

Vercel

Frontend hosting and edge functions

United States

Stripe

Payment processing

United States

Stripe

Payment processing

United States

Datadog

Observability and monitoring

United States

Datadog

Observability and monitoring

United States

PostHog

Product analytics

United States

PostHog

Product analytics

United States

Okta

Identity and access management

United States

Okta

Identity and access management

United States

Google Workspace

Internal email and productivity

United States

Google Workspace

Internal email and productivity

United States

PagerDuty

Incident management and on-call

United States

PagerDuty

Incident management and on-call

United States

Sentry

Error tracking and monitoring

United States

Sentry

Error tracking and monitoring

United States

Slack

Internal team communication

United States

Slack

Internal team communication

United States

Resend

Transactional email delivery

United States

Resend

Transactional email delivery

United States

Frequently Asked Questions

(11)

Where is customer data stored?

Customer data is stored in AWS data centers in the United States (us-east-1) by default. Enterprise customers can opt for EU residency (eu-west-1) at no additional cost. All data is encrypted at rest and in transit.

How is data encrypted?

All data at rest is encrypted using AES-256 via AWS KMS. Data in transit uses TLS 1.3 with strong cipher suites. Encryption keys are managed by a dedicated KMS with strict access controls, rotated automatically, and never exposed outside our infrastructure.

Do you have a Business Associate Agreement (BAA) for HIPAA?

Yes. We offer BAAs for customers on our Enterprise plan who need to process Protected Health Information (PHI). Contact security@nimbuscloud.example.com to initiate the BAA process.

How do you handle security incidents?

We maintain a documented incident response plan and operate a 24/7 Security Operations Center. For incidents affecting customer data, we notify impacted customers within 72 hours per our contractual SLA, often sooner. Post-mortems are published publicly for significant incidents.

Can I delete my data?

Yes. Customers can request complete data deletion at any time via the admin console or by emailing our support team. Deletion is executed within 30 days and confirmed in writing. Backup data is removed within 90 days as part of our rolling backup lifecycle.

Do you support Single Sign-On (SSO)?

Yes. SSO via SAML 2.0 is available on all plans. We support major identity providers including Okta, Azure AD, Google Workspace, and OneLogin. SCIM provisioning is available on Enterprise plans.

Is there a bug bounty program?

Yes. We partner with HackerOne to run a responsible disclosure program. Security researchers can submit vulnerabilities at https://hackerone.com/nimbuscloud. We commit to acknowledging reports within 24 hours and paying bounties for valid findings.

How often do you perform penetration tests?

We engage an independent third party for comprehensive penetration testing annually, with additional targeted testing for significant architectural changes. Executive summaries of our latest pentest are available under NDA via the Resources section of this trust center.

What is your uptime SLA?

We provide a 99.99% uptime SLA for Enterprise customers (maximum 4.32 minutes downtime per month). Status and incident history is available at status.nimbuscloud.example.com.

How do you report a security concern?

For security concerns, contact security@nimbuscloud.example.com or use our PGP key available at /.well-known/security.txt. For critical vulnerabilities, include "URGENT" in the subject line for immediate triage.

What AI/LLM providers do you use?

We use OpenAI and Anthropic for AI-powered features such as search and summarization. Data sent to these providers is processed according to their privacy policies and our Data Processing Agreements. Customer data is never used for model training. We also use Pinecone as a vector database for semantic search indexing.

Updates

(4)

Announcement

Achieved ISO 27001:2022 certification

April 12, 2026

We're proud to announce that Nimbus Cloud has achieved ISO 27001:2022 certification, the latest version of the international standard for information security management systems. This builds on our existing SOC 2 Type II and demonstrates our continued commitment to security excellence.

Update

New AI subprocessors: OpenAI and Anthropic

April 8, 2026

We've added OpenAI and Anthropic to our list of subprocessors for AI-powered features including intelligent search and document summarization. Data sent to these providers is governed by our DPAs and is never used for model training.

Update

New subprocessor: PagerDuty

April 1, 2026

We've added PagerDuty to our list of subprocessors for incident management and on-call rotation. PagerDuty handles alerting metadata only and does not process customer data.

Update

Q1 2026 security program update

March 16, 2026

Highlights from our first quarter security program: completed SOC 2 Type II annual audit with zero findings, rolled out mandatory phishing-resistant MFA (FIDO2/WebAuthn) for all employees, and expanded our bug bounty scope to include staging environments.