Skip to main content

Docs · Trust

Security and compliance

Nebula holds the documents and decisions that define your projects, so it is built to keep them safe and to satisfy the people who ask the hard questions: your clients, your auditors, and your own risk team.

Your data is encrypted

Everything is encrypted in transit and at rest, including backups. The most sensitive material, the keys used to sign your agreements, is wrapped with a separate key held in protected infrastructure.

Your data stays in Australia

Your projects and documents are stored in Australian regions. The one step that currently leaves Australia is the AI reading step: our AI provider does not yet offer an Australian endpoint, so that call is processed in the United States under terms that forbid training on your content. When an Australian endpoint becomes available, we will move that step onshore too.

Personal information is protected

We do not use your documents, or anything read from them, to train AI models, and our AI provider is bound to the same commitment.

Personal details, phone numbers, email addresses, tax and identity numbers, are automatically redacted from text before it is sent to be read, and restored afterwards. Business registry numbers stay, because reading who owes what requires the parties and those numbers are public identifiers. Documents read natively as PDFs cannot be text-redacted; they are covered by the no-training commitment above.

You can request erasure of your personal information at any time, with a thirty-day grace period in case you change your mind. Anchored proofs remain intact, but they contain only fingerprints, never your content.

Compliance posture

  • Our controls are mapped internally to the SOC 2 Trust Services Criteria. A formal external audit has not yet been performed; we step into one when a customer requires the certification.
  • An IRAP-aligned record of how each class of data is stored, encrypted, retained, and accessed is maintained internally for defence work, and shared under NDA during procurement.
  • Personal information is handled in line with the Australian Privacy Principles.

A complete, checkable record

Every significant action is logged and kept, and an automated check runs on a schedule to confirm the stored record still matches the proof on the chain. If the two ever disagreed, it would be flagged at once.