Skip to main content

Encryption

Nebula encrypts data at rest and in transit.

At rest

Postgres (Neon) ships TDE (transparent data encryption) on the

storage tier. Backups are encrypted with the same key set.

R2 (Cloudflare) ships server-side encryption on every object.

Sensitive fields (signing keys, API tokens) are wrapped with an

application-level key (KEK) referenced by ID; the actual KEK lives

in Vercel's encrypted env vars. See ENCRYPTION_AT_REST.md for the

full key map.

In transit

TLS 1.2+ on every endpoint. HSTS is set with a one-year max-age and

includeSubDomains. Polygon RPC and the Anthropic API are reached

over HTTPS only; outgoing requests are pinned to the documented

endpoints.

Key management

Signing keys rotate quarterly. The rotation procedure is in

docs/KEY_ROTATION.md; the new key is signed by the old key

before the old key is revoked, so the chain of trust is unbroken.

Cross links

  • /docs/security/pii: redaction before LLM calls
  • /docs/compliance/soc2: control mapping