Trust · security, transparency, posture

The discipline is the trust.

A candid view of NEXI's security posture, data-handling practices, and compliance roadmap.

Open

Apache 2.0 reference verifier.

Ships open under Apache 2.0, with a public LICENSE drop in June. Any party can re-derive a receipt without NEXI.

Honest

Named lineage, exact scope.

The defensible novelty is the specific combination. The prior art it builds on is cited by name.

Hardened

Standard hosting baseline.

Runs on Vercel and Google Workspace, both SOC 2 Type II and ISO/IEC 27001 attested. NEXI's are in progress.

01Who we are

NEXIVERIFY is operated by Nexi Technologies, Inc., a Delaware corporation. NEXI is an early-stage technology company building a verification layer for AI: an open Apache 2.0 reference verifier at the floor, three commercial packs above, and a signed-receipt format that any party can independently re-derive.

The honest summary of NEXI's stage today: a small team operating to the security and privacy practices appropriate for an early-stage company with no live commercial product, building toward the controls appropriate for the regulated buyers we expect to engage in 2026 and 2027. This page describes that posture accurately. Where a control is in place, it says so. Where a control is planned or out of scope, it says that too.

02The open substrate is the trust anchor

The single most important sentence on this page is the one that follows: the verification format and the reference verifier are published under Apache 2.0, and any party can re-derive any receipt without NEXI in the trust path.

That commitment is the structural foundation of every other commitment on this page. It is the answer to “what happens if NEXI folds” (the verifier keeps running, receipts stay re-derivable). It is the answer to “can our audit firm attest to your output” (yes — the format is open and auditable). It is the answer to “are we stranded if we adopt this” (no — there is no NEXI-only format).

The LICENSE drop on the substrate is scheduled for June. After that date, the Apache 2.0 terms govern any use of the reference verifier. NEXI's commercial obligations to enterprise customers continue under separate agreements (Enterprise Agreement, DPA), but the substrate itself is not gated on those agreements.

03Security controls

The controls below are organized by domain. Each row carries an honest status: live means the control is in place today, planned means it is on the current roadmap with an internal target, and out of scope means we have made a deliberate decision not to implement the control at this stage.

Identity and access

SSO for internal systems
Single sign-on through Google Workspace for staff access to NEXI-operated systems.
Live
MFA
Multi-factor authentication required on every staff identity for every system that supports it.
Live
Least-privilege access
Access to production systems and customer data is granted on a need-to-know basis and reviewed quarterly.
Live
Hardware security keys
Required for administrative access to critical systems.
Planned 2026
Customer SSO
Customer-side single sign-on integration for enterprise pack pilots.
Planned with first paid mandate

Data protection

Encryption in transit
TLS 1.2 or higher for all data in motion across the public Site and internal systems.
Live
Encryption at rest
AES-256 or equivalent for data at rest on supporting infrastructure (Vercel, Google Workspace).
Live (via subprocessors)
Secret management
No plaintext secrets in source control. Secrets stored in vetted secret-management systems and rotated on a defined cadence.
Live
Data minimization
We collect only the personal data we need for the purposes described in the Privacy Policy.
Live
Customer-data deletion
Customer-data deletion on written request, within the time limits set by applicable law.
Live

Application and network security

Hardened hosting baseline
Hosting on Vercel (SOC 2 Type II, ISO/IEC 27001) with edge-network DDoS mitigation inherited from the platform.
Live
Dependency scanning
Automated scanning of code dependencies for known vulnerabilities on every build.
Live
Static code analysis
SAST integrated into the build pipeline.
Planned 2026
Penetration testing
Annual third-party penetration testing by an accredited firm.
Planned with first paid mandate
Bug-bounty program
Public coordinated-disclosure program with named scope and safe-harbor.
Planned 2027

Operations

Logging and monitoring
Centralized logging across operated systems with retention proportionate to investigation and audit needs.
Live (baseline)
Backups
Backups inherited from subprocessor platforms; explicit backup procedures for customer-facing systems where applicable.
Live
24x7 security operations center
A staffed SOC monitoring NEXI systems on a continuous basis.
Out of scope today

04Data handling and AI

NEXIVERIFY is a verification layer. Three commitments shape how data is handled:

05Incident response

NEXI maintains an internal incident-response process covering detection, triage, containment, recovery, and post-incident review, and will notify affected parties and any authorities where applicable law requires.

To report a suspected security incident or vulnerability, email security@nexiverify.com. NEXI commits not to take legal or administrative action against good-faith security researchers who report vulnerabilities to that address.

06Compliance and certifications

The honest picture on third-party certifications and regulatory readiness as of the Effective Date below.

SOC 2 Type I
Independent attestation by a licensed CPA firm covering the security trust services criterion.
Planned · target [Q1 2027, gated on engagement of auditor]
SOC 2 Type II
Same trust criterion, evaluated over a six-month or twelve-month observation period.
Planned · target 12 months after Type I
ISO/IEC 27001
Information-security management system certification.
Under evaluation
EU AI Act readiness
NEXIVERIFY's Conformance pack is designed against EU AI Act Article 50 (Aug 2 2026), Annex III high-risk (Aug 2 2026), and Annex I embedded (Aug 2 2027) anchors.
Designed against
HIPAA
Healthcare-sector regulated data under the U.S. Health Insurance Portability and Accountability Act.
Out of scope today
FedRAMP
U.S. federal-government cloud authorization.
Out of scope today
PCI DSS
Payment-card-industry data security. NEXI does not process payment-card data.
Not applicable

Aspirational targets above are not commitments. They reflect the current internal plan, gated on funding, auditor engagement, and the first paid mandate. Where a target slips, this page is updated.

07Document library

Most trust centers are rendered by a third-party compliance vendor: the controls are read out of that vendor's dashboard, and the documents sit behind that vendor's request gate. This one is self-hosted on purpose — and the verification layer it is built to be attested by is our own. The end state is for every control on this page to carry a signed receipt you can re-derive with the open verifier, so the posture above becomes something you check rather than something you take on faith. We are not there yet; the status pills stay honest until that substrate attests them.

Documents already published are linked directly. Documents we provide under agreement or on request open a pre-addressed email. Documents still in preparation say so plainly, with no request path until they exist.

Published

Privacy Policy
How NEXI collects, uses, and protects personal data, and the rights you hold over it.
Read →
Terms of Use
The terms that govern use of the Site.
Read →
Standards posture
How the Service maps to EU AI Act, SOC 2, and ISO/IEC 42001 anchors.
Read →
Open verifier and receipt spec
The Apache 2.0 reference verifier and receipt format — the one document a vendor-hosted trust center cannot offer. Public LICENSE drop 2026-06-25.
Read →

Available on request

Security questionnaire
Support for CAIQ, SIG, and bespoke procurement questionnaires.
Request →
Trust and security overview
This page as a dated, printable PDF for a procurement file.
Request →

In preparation

SOC 2 Type II report
Independent CPA attestation over the security trust services criterion.
In preparation
Information security policy
The governing policy set for access, data, cryptography, and operations.
In preparation
Penetration test summary
Executive summary from an accredited third-party testing firm.
Planned with first mandate
Business continuity and DR plan
Continuity and disaster-recovery procedures with tested recovery objectives.
In preparation
A trust center should be verifiable, not just viewable. The end state is every row above signed by the same substrate we sell — not a dashboard you have to take our word for.

08Receipts you can re-check

The strongest trust artifact NEXI publishes is not a certification logo. It is a receipt anyone can run the open verifier against. We will list reviewer-runnable receipts here as they are released, with the verifier version and the expected pass result for each.

The first such artifact — an honest workflow run alongside a tampered one, with the open verifier catching the tampered receipt in under a second — will be published alongside the LICENSE drop in June.

The receipt is the proof. The verifier is the test. Re-run it and it re-derives byte for byte — or shows exactly where it breaks. Nobody owns it.

09How to contact us