What you can tell your security team.

Compute runs on Vercel pinned to syd1. The database runs on Neon in aws-ap-southeast-2. Object storage runs on Cloudflare R2 with the APAC location group. Every API call, every scheduled job, every database query happens in Australia.

The exception is the AI extraction step. Our model provider doesn't expose an Australian endpoint yet, so prompts hit a US region under API terms that forbid training on customer content. Pattern-based redaction of personal identifiers runs on all text before that call; documents attached natively as PDFs pass through under the no-training terms, and classification-based gating of the AI step is delivered as part of PROTECTED engagements. The day an Australian endpoint becomes available, we switch by setting an alternate base URL.

Compute

Vercel · syd1

Database

Neon · aws-ap-southeast-2

Object storage

Cloudflare R2 · APAC

AI extraction

US region (no-training terms)

The Postgres database is encrypted with AES-256 via AWS KMS, key-managed by Neon. The R2 buckets are encrypted server-side with AES-256, key-managed by Cloudflare. Backups inherit the same encryption.

Application-layer signing keys are wrapped with a separate key-encryption key that lives only in the runtime environment. The wrapped keys never leave the database; the wrapping key never reaches the database. NextAuth session cookies are signed and encrypted, set httpOnly + secure.

Customer-managed keys (CMK) and HSM-backed signing are scoped during procurement where a security review requires them.

TLS 1.2 or higher on every public endpoint, including the database connection from Vercel to Neon and the R2 endpoint. HSTS is set with a one-year max-age and includeSubDomains.

There is no HTTP path on the production domain; an HTTP request lands a 308 to HTTPS before any route logic runs.

Every API route runs an authentication check. Every engagement-scoped route additionally checks that the user is a member of the engagement the request is about. Super-admin reads (used for support) require a separate gate and are logged.

Access to a Nebula-managed agreement is bounded by membership of the engagement that owns it. Counterparty access flows through invitation; revoking access removes future visibility immediately and is recorded in the audit trail.

Single sign-on, SCIM provisioning, and per-user clearance enforcement on classified content are delivered per engagement. The clearance metadata is already recorded on every commitment that is classified, so enforcement deploys onto data that is in place from day one.

Every API request is recorded to an access log: who called, what route and method, when, and whether access was granted, with the IP address hashed (raw IP is never stored). The access log retains for ninety days.

Every state change on every agreement is recorded to an activity log: which item, what changed, who changed it, when, and (where applicable) the chain anchor that proves it. The activity log retains indefinitely; that's the audit trail you export when your auditor or counterparty asks.

Every export, every login, every right-to-erasure request lands in its own log. Sensitive log access is itself logged.

Pattern-based redaction runs on every piece of text sent to the model: Australian phone numbers, email addresses, TFNs, Medicare numbers, and driver's licence numbers are replaced with tokens before the call and restored on the way back, so the provider sees only redacted text. ABNs and ACNs stay: they are public business-registry identifiers and the reading needs the parties. Documents attached natively as PDFs pass through whole under the no-training terms below; text extraction ahead of the model call extends redaction to them as part of PROTECTED engagements.

Customer documents and the structured data we extract from them are never used to train any AI model. Anthropic, our model provider, contracts to the same posture.

Account closure schedules a real right-to-erasure with a thirty-day grace period. Cancel before the grace expires and your data stays. Past the grace, the account is erased: identifying details are anonymised in place, sign-in is disabled, signing keys are revoked, and your notifications are purged. Engagement records co-owned with counterparties remain, de-identified, and the anchored proof chain stays intact (only the hashes reach the chains; the content stays in Nebula).

Every commitment recorded in Nebula carries a classification field with four levels: UNCLASSIFIED, OFFICIAL, OFFICIAL: SENSITIVE, and PROTECTED. The default is UNCLASSIFIED.

OFFICIAL: SENSITIVE and below run on the standard infrastructure. PROTECTED deployments are scoped per engagement and include network segregation, a write-once audit log, per-user clearance enforcement, and classification gating of the AI step; the classification itself is recorded on every commitment as standard.

Defence, commonwealth, and infrastructure industry packs add the validators and relationship types that match how those sectors run.

We map our controls to the AICPA Trust Services Criteria internally. The architecture (access control, audit logging, encryption, integrity controls, processing integrity, anti-gaming detection, right to erasure, classification handling) is in place; the remaining work for a formal SOC 2 audit is operational (audit cadence, evidence collection, vendor reviews, penetration test) and we step into it when a buyer needs the certification on the contract.

The IRAP-aligned data-handling matrix is similarly maintained internally. It documents storage location, encryption posture, retention, access controls, and classification compatibility for every class of data we hold. We'll share both with you under NDA during procurement diligence.

Session secret: every twelve months. AI provider key: every six months. Object-storage access keys: every six months. On-chain signing wallet: only on suspected compromise. Each rotation has a written procedure, a known blast radius, and a rollback path; a fresh on-call engineer can execute without escalation.

Signing keys for chain anchors rotate quarterly with chained signatures, so the chain of trust survives a rotation. A counterparty verifying an old proof gets the same answer they got the day it was anchored.