Security you can put in front of your reviewers.
Nia is built so that isolation, identity, and auditability are part of the architecture. This page summarizes the controls in place today. Detailed documentation is available for enterprise review.
Architecture overview
Nia is a multi-tenant service. Requests carry an immutable tenant context established at authentication; retrieval is filtered to that tenant, and a citation gate independently drops any passage that doesn't belong to it before an answer is returned.
- Immutable tenant context — tenant and site identifiers are fixed at the edge and never taken from a request body.
- Citation gate — answers are validated against retrieved passages; cross-tenant or unsupported claims are removed.
- Managed cloud infrastructure — runs on AWS in the Singapore region (ap-southeast-1); models are invoked in-region.
Identity & access management
- Single sign-on — OpenID Connect and SAML 2.0 for enterprise identity providers.
- Role-based access — owner, admin, and member roles across a workspace.
- Public embed keys — the browser widget uses a public, origin-locked key; signing secrets are never shipped to the client.
- Key rotation — a workspace's public embed key can be rotated at any time.
- Allowed-domain enforcement — the widget answers only on origins you allow-list.
Tenant isolation model
Isolation is logical by default: each customer's knowledge, keys, and analytics are partitioned by tenant, and every retrieval is constrained to the asking tenant. A physically dedicated deployment is available on the Enterprise plan.
Data lifecycle & encryption
- Encryption at rest — data stored with managed KMS keys.
- Encryption in transit — HTTPS/TLS across public endpoints.
- Approved sources only — you control exactly what knowledge is ingested and can update or re-index it.
- Retention — specific retention and deletion terms are covered in enterprise documentation on request.
Application & infrastructure security
- SSRF-guarded ingestion — website and connector fetches are validated and IP-pinned so they can't reach internal addresses.
- Origin-locked embeds & scoped credentials — public chat scope is separated from administrative access.
- Least-privilege cloud roles — task roles are scoped to the resources each service needs.
- Isolated network — application tasks run in private subnets with controlled egress.
Logging, monitoring & audit
- Audit log — an immutable record of administrative actions (who did what, and when).
- Operational monitoring — health, latency, and error alarms with alerting for availability.
- Usage metering — per-workspace usage tracking and quota controls.
Responsible disclosure
If you believe you've found a security issue, please email security@nephilaweb.com with details and reproduction steps. Please don't publicly disclose until we've had a chance to investigate and respond. We appreciate good-faith research and will work with you on a timeline.
Enterprise deployment options
Beyond the standard multi-tenant service, the Enterprise plan offers dedicated deployment, custom limits, a security review, and priority support. Talk to sales to scope a deployment for your requirements.
Security FAQ
Do you have SOC 2 or ISO 27001?
We don't publish a certification claim here. If your procurement requires an attestation or a detailed control questionnaire, contact us and we'll share what's available and discuss what's on the roadmap.
Where is data hosted?
On AWS in the Singapore region (ap-southeast-1). Enterprise deployments can discuss regional requirements.
Can I remove indexed content?
Yes — you control which sources are connected and can update or re-index them. Ask us about programmatic source management for your workspace.
Does the browser widget expose secrets?
No. It uses a public, origin-locked key restricted to domains you allow. Administrative signing secrets never reach the browser.
How is my knowledge kept separate from other customers?
Every request runs inside an immutable tenant context and a citation gate drops any passage that isn't yours, so knowledge cannot cross between customers.