Plans, resources, company information, and legal documents.
Trust,builtin.
The certifications, practices, and infrastructure that keep your warehouse data safe. No marketing fluff — just what we do and how we prove it.
Audited where it matters.
Six external attestations and regulations. Each report or DPA available to enterprise customers under NDA.
Audited annually by an independent firm against security, availability, and confidentiality criteria. Report available under NDA.
Information security management system aligned to ISO/IEC 27001:2022. Certification audit scheduled Q3 2026.
DPA available. EU customer data processed under standard contractual clauses. Data subject requests handled within 30 days.
BAA available for healthcare and pharmaceutical customers. PHI handling controls aligned to HIPAA Security Rule.
California consumer rights honored for all users regardless of region. Opt-out, deletion, and portability available in-product.
Third-party penetration testing every 12 months across web app, API, and mobile. Findings remediated within SLA, summary available under NDA.
What we do, on every request.
The defenses below run continuously across the platform — not checklist items, not annual reviews.
Zero-trust architecture
Every request is authenticated regardless of network location. No implicit trust based on VPN or IP. Internal services authenticate to each other with mutual TLS.
Encryption everywhere
TLS 1.3 in transit with forward secrecy. AES-256 at rest with keys rotated every 90 days through a dedicated KMS. Backups encrypted with separate keys.
Least privilege access
RBAC across every surface. Production access is broken-glass only, time-bound, audited, and requires peer approval. No standing admin credentials.
MFA + SSO required
MFA enforced for all internal users; required for customer admin accounts. SAML 2.0 SSO with major IDPs for enterprise customers.
Secret management
Secrets stored in a centralized vault, never in code or environment files. Short-lived credentials for service-to-service. Automated rotation.
Continuous scanning
Automated SAST and dependency scanning on every PR. Continuous monitoring for known vulnerabilities in production dependencies. Critical patches within 24h.
Where it runs.
Multi-region by default. Encrypted top to bottom. Designed so a single failure never takes you down.
- Primary region
- US-East (Virginia)
- Failover region
- US-West (Oregon)
- EU region
- Frankfurt (enterprise)
- Database
- Multi-AZ Postgres, encrypted, point-in-time restore
- Object storage
- S3-class, versioned, encrypted at rest
- Edge / CDN
- Global with WAF + DDoS protection
- RPO / RTO
- 1h recovery point, 4h recovery time
- Monitoring
- 24/7 with sub-minute granularity, on-call < 60s alerting
Found something? Tell us.
We work with security researchers. Report a vulnerability and we'll acknowledge within 24 hours, fix critical issues within 7 days, and credit you in our hall of fame.
Email security@Nautiluswms.com. PGP key available on request. Include reproduction steps, affected endpoints, and your proposed CVSS score if you have one.
security@Nautiluswms.com →- Acknowledge within 24 hours
- Critical fixes within 7 days
- No legal action for good-faith research
- Credit in our hall of fame (if you want)
- Bug bounty for qualifying reports
We'll send you everything.
SOC 2 Type II report, DPA, BAA, security questionnaire, pen test summary, sub-processor list — all available under NDA. Request the full security package.