Security & governance

Security you can put in front of your reviewers.

Nia is built so that isolation, identity, and auditability are part of the architecture. This page summarizes the controls in place today. Detailed documentation is available for enterprise review.

On certifications: we don't claim SOC 2, ISO 27001, HIPAA, or GDPR certification on this page. Where a formal attestation or a detailed control document is required for procurement, request it directly and we'll share what's available under NDA.

Architecture overview

Nia is a multi-tenant service. Requests carry an immutable tenant context established at authentication; retrieval is filtered to that tenant, and a citation gate independently drops any passage that doesn't belong to it before an answer is returned.

Identity & access management

Tenant isolation model

Isolation is logical by default: each customer's knowledge, keys, and analytics are partitioned by tenant, and every retrieval is constrained to the asking tenant. A physically dedicated deployment is available on the Enterprise plan.

Data lifecycle & encryption

  • Encryption at rest — data stored with managed KMS keys.
  • Encryption in transit — HTTPS/TLS across public endpoints.
  • Approved sources only — you control exactly what knowledge is ingested and can update or re-index it.
  • Retention — specific retention and deletion terms are covered in enterprise documentation on request.
Voice call privacy (per tenant): for phone and web calls you choose whether Nia stores the full transcript or metadata only (message lengths and outcomes, no wording), and you can enable PII redaction so names, numbers, and other personal data are masked before speech is transcribed. These are per-workspace settings in the console and apply to new calls.

Application & infrastructure security

Logging, monitoring & audit

Responsible disclosure

If you believe you've found a security issue, please email security@nephilaweb.com with details and reproduction steps. Please don't publicly disclose until we've had a chance to investigate and respond. We appreciate good-faith research and will work with you on a timeline.

Enterprise deployment options

Beyond the standard multi-tenant service, the Enterprise plan offers dedicated deployment, custom limits, a security review, and priority support. Talk to sales to scope a deployment for your requirements.

Security FAQ

Do you have SOC 2 or ISO 27001?

We don't publish a certification claim here. If your procurement requires an attestation or a detailed control questionnaire, contact us and we'll share what's available and discuss what's on the roadmap.

Where is data hosted?

On AWS in the Singapore region (ap-southeast-1). Enterprise deployments can discuss regional requirements.

Can I remove indexed content?

Yes — you control which sources are connected and can update or re-index them. Ask us about programmatic source management for your workspace.

Does the browser widget expose secrets?

No. It uses a public, origin-locked key restricted to domains you allow. Administrative signing secrets never reach the browser.

How is my knowledge kept separate from other customers?

Every request runs inside an immutable tenant context and a citation gate drops any passage that isn't yours, so knowledge cannot cross between customers.

Need a deeper security review?

We'll walk your team through the architecture and share documentation under NDA.

Request security information Back to Nia