Nexwin Security

Google Cloud Platform — Australia Southeast

Nexwin runs entirely on Google Cloud Platform (GCP) in the australia-southeast1 region (Sydney). We do not use AWS or Azure. Your data is stored and processed in Australia and is never moved to a foreign region.

The Nexwin backend runs on Firebase App Hosting (Cloud Run under the hood), and customer data is stored in Google Firestore. Both are managed GCP services with Google's enterprise-grade physical and logical security — including redundant data centres, biometric access controls, and continuous monitoring.

Data Encryption

All data at rest in Firestore and Cloud Storage is encrypted by GCP using AES-256 by default — no configuration required on our part. All data in transit between your browser, the Nexwin backend, and our third-party services is encrypted using TLS 1.2 or higher. Unencrypted connections are not accepted.

High Availability & Backups

Firestore is a fully managed, multi-region replicated database. Google manages replication, failover, and point-in-time backups automatically. In practice, this means your configuration and call history data is highly durable and available even if an individual data centre has an issue.

Customer Authentication

Nexwin uses Firebase Authentication for all customer logins. Passwords are never stored in plaintext — Firebase Auth handles secure credential storage using industry-standard hashing. All authenticated API requests require a valid Firebase ID token, which is verified server-side on every request.

Account data is strictly scoped — your configuration, call history, and team member data can only be accessed by authenticated users belonging to your account. There is no way for one customer to access another customer's data.

Internal Access

Access to production infrastructure is managed through GCP IAM with least-privilege roles. Only team members who need access for a specific operational reason are granted it. All GCP console access requires Google account two-factor authentication.

No customer data is stored on developer laptops. All production data access goes through GCP's managed services with full audit logging.

API Security

The Nexwin backend API validates authentication on every request and enforces account-level scoping throughout. Sensitive operations — such as account mutations and subscription changes — are read-only from the frontend and can only be triggered through authenticated backend routes. Secret keys (Stripe, Twilio, Resend) are stored in Google Secret Manager and are never exposed to the frontend or included in source code.

We Don't Train on Your Data

Nexwin does not use your business configuration, call transcripts, or customer data to train any AI models. The AI models powering N-Voice and N-Chat are provided by Anthropic (Claude) — we pass your configuration to them at publish time, but your customer conversations are not used to improve those models on our behalf.

Knowledge Base Documents

When you upload documents (PDF, Word, CSV, etc.) to your knowledge base, they are sent directly and are not stored on Nexwin's servers. Only metadata (file name, type, title) is retained in Firestore.

Data Retention

Call transcripts and chat conversation logs are retained in your dashboard so you can review and follow up on interactions. If you cancel your subscription, your data is retained for 30 days to allow for export, then permanently deleted. You can request earlier deletion by contacting us directly.

Data Segregation

All customer data in Firestore is logically isolated by account ID. Firestore security rules enforce that authenticated users can only read and write documents belonging to their own account. There is no shared data between accounts.

Stripe

Handles all payment processing. Nexwin never sees or stores your full card number — all billing data is managed directly by Stripe. Stripe is PCI DSS Level 1 certified. Stripe security page →

Twilio

Provisions and manages Australian phone numbers for N-Voice. Call routing metadata passes through Twilio's infrastructure. Twilio trust centre →

Resend

Sends transactional emails (booking confirmations, OTP codes, account notifications). Only the minimum required data — recipient email, name, and booking details — is passed to Resend per email send. Resend security page →

Google Calendar

Used for appointment booking when you connect your calendar via OAuth. Nexwin stores your OAuth refresh token in Firestore (encrypted at rest by GCP) and only requests the minimum calendar scopes needed to check availability and create events. You can revoke access at any time from your Google account settings.

Zoom

Optionally used to create video meeting links for appointments. If you connect your Zoom account, an OAuth token is stored securely in Firestore and used only to create meeting links on your behalf. You can disconnect at any time from the Nexwin dashboard.

Data Stays in Australia

Your business configuration and customer interaction data is stored in GCP's australia-southeast1 region (Sydney) and is not transferred overseas by Nexwin. Note that third-party providers (Stripe, Twilio) may process certain data outside Australia as part of their own global infrastructure — refer to their respective privacy policies for details.

No Data Selling

Nexwin does not sell, rent, or share your customer data with third parties for marketing or commercial purposes. Data shared with third-party providers (listed above) is strictly limited to what is needed to deliver the service.

Contact Us

If you have a security concern, a privacy request, or believe you've found a vulnerability, please contact us at [email protected]. We take all reports seriously and respond promptly.