Protecting customer data
is part of the build.
Nodeblue handles operational data for industrial plants, financial workflows, and enterprise software. We treat security as engineering work — written down, reviewed, and tested — not as a compliance afterthought.
Four pillars
we hold the program to.
Reliable, secure infrastructure
Workloads run on hardened cloud infrastructure with continuous monitoring, encrypted storage, and least-privilege network controls. Production access is logged, scoped, and reviewed.
Procedures and controls
Written policies cover access, change management, vendor review, and incident response. Reviews and audits happen on a defined cadence rather than ad hoc.
Secure employee management
Background checks for engineers with production access, mandatory security training, hardware-backed authentication, and immediate offboarding when roles change.
Data privacy
Customer data is treated as the customer's data. We minimize what we collect, isolate it by tenant, and align our handling with GDPR and CCPA principles.
Standards and frameworks
we operate against.
We publish our posture honestly. Some frameworks we are formally aligned to today; others are on the roadmap as the business grows. If you need a specific attestation for an engagement, talk to us.
SOC 2 Type II
Our controls are modeled on the AICPA Trust Services Criteria. Formal Type II attestation is on the roadmap as customer engagements require it.
ISO/IEC 27001
Information security management aligned to ISO 27001 — risk assessment, asset inventory, access control, and continuous improvement.
GDPR
We process personal data under lawful bases, support data subject requests, and use Standard Contractual Clauses for international transfers.
CCPA / CPRA
California residents can request access, deletion, or correction of their personal information through the contacts listed in our Privacy Policy.
HIPAA-ready
For healthcare engagements we sign Business Associate Agreements and deploy isolated environments with the administrative, physical, and technical safeguards required.
IEC 62443
Our automation work follows IEC 62443 zones-and-conduits guidance for OT networks, with segmentation between corporate, control, and safety systems.
What we do day to day
to keep data safe.
Encryption
TLS 1.2+ in transit. AES-256 at rest. Secrets managed in dedicated vaults, never in source.
Secure SDLC
Peer review on every change, automated dependency scanning, and static analysis in CI before anything ships.
Network isolation
Tenant data is logically isolated. Production VPCs are segmented from corporate networks with deny-by-default egress.
Logging and audit
Centralized, tamper-evident logs for production access, deploys, and administrative actions. Retained for incident review.
Backups and recovery
Automated backups with periodic restore testing. Documented RPO and RTO targets per environment.
Vendor review
Subprocessors are evaluated for security posture before onboarding and re-reviewed annually.
Who touches the data
behind the scenes.
We use a small set of vetted infrastructure providers. Each is reviewed for security posture and data residency before we onboard them. Categories include cloud hosting, observability, transactional email, and identity. A current list is available on request under NDA.
Responsible
disclosure.
If you believe you have found a security vulnerability in any Nodeblue system, please report it to us privately so we can fix it before it is exploited. We will acknowledge your report quickly and keep you informed as we triage.
How to report
- Email security@nodeblue.ai with details and a proof of concept if you have one.
- Give us a reasonable window to investigate and remediate before public disclosure.
- Do not access, modify, or exfiltrate data beyond what is necessary to demonstrate the issue.
- Do not run automated scanners against production without prior written agreement.
Ready to build something?
Tell us about your project and we will figure out the best way to help.