Nexwin Technologies Security Policy
Nexwin Technologies is on a mission to revolutionize the underlying tools and processes of organizations like yours to better leverage the benefits of an autonomous AI platform - enabling real-time deep learning at scale for common enterprise use-cases. To do so, we need to make sure your data is secure; protecting it is one of our most important responsibilities.
Nexwin Technologies has designed platforms and applications to meet these requirements as well as exceeded relevant industry security protocols and standards. We're committed to being transparent about our security practices and helping you understand our approach.
The highlights of our security program are given below:
Security Governance
Nexwin Technologies's Information Security Committee (ISC) is a governing body consisting of cross-functional management representatives led by the Chief Information Security Officer (CISO). The ISC meets on a regular basis to advise, prioritize, and enable the Information Security Program. The risk-driven Information Security Program includes administrative, technical, and physical safeguards to align with applicable requirements, standards, and best practices.
Nexwin Technologies maintains a comprehensive suite of information security policies that is regularly reviewed, updated, and approved on a predefined schedule. Risk management serves as the foundation of Nexwin Technologies's Information Security Program with a Defense in Depth (DiD) approach. We conduct industry-standard security risk assessments periodically to identify, analyze, monitor, and respond to risk.
Our multi-faceted approach also includes using multiple sources of input such as vulnerability assessments, penetration testing, and other forms of security reviews to capture the holistic state of our security posture. Risk treatments are strategically planned and prioritized with key stakeholders to ensure alignment with security and business objectives. Cross-functional collaboration with the ISC is integral for the effective review and management of information security risk.
Employee Security
Employee Background Checks
Before onboarding new staff, Nexwin Technologies verifies an individual's education and previous employment, and performs internal and external reference checks. Where local labor law or statutory regulations permit, Nexwin Technologies may also conduct criminal, credit, immigration, and security checks. The extent of these background checks is dependent on the desired position.
Security Training
All Nexwin Technologies employees and contractors undergo security training as part of the orientation process and receive ongoing security training throughout their tenure. During orientation, new employees must read and agree to the Nexwin Technologies Acceptable Use Policy (AUP) and Code of Conduct, which highlights our commitment to keep customer information safe and secure.
Depending on their job role, additional training on specific aspects of security may be required. For instance, the information security team instructs new engineers on topics like secure coding practices, product design and automated vulnerability testing tools. We also cover topics like phishing, ransomware, social engineering etc.
Employee Authentication
Every Nexwin Technologies employee is provided with a secure password manager account and is required to use it to generate, store, and enter unique and complex passwords. The use of a password manager helps avoid password reuse, phishing, and other behaviors that reduce security.
All access to the production servers and data is protected using network isolation and strong authentication mechanisms. A combination of strong passwords, passphrase-protected SSH keys, a Virtual Private Network (VPN), and two-factor authentication is used to shield mission critical systems.
Operational Security
Access Management
For Nexwin Technologies employees, access rights and levels are based on their job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. All our personnel are required to use multi-factor authentication and strong passwords.
Access to production infrastructure is strictly controlled using a bastion host (jump box) with user-unique SSH keys and token-based two-factor authentication for server-level authentication. Employee access to both corporate and production resources is subject to an automated daily review process, and manual recertification is performed, at a minimum, on a quarterly basis.
For our customers, Nexwin Technologies supports built-in login or SAML 2.0 for single sign on with multi factor authentication. Customers are empowered to create and manage users of their portals and assign privileges that are appropriate for their accounts and limit access to their data features. Access attempts are logged for review.
Vulnerability Management
We administer a vulnerability management process that involves periodic third-party scans for security threats using a combination of commercially available tools, intensive automated and manual penetration efforts, quality assurance processes, software security reviews and external audits.
Once a vulnerability requiring remediation has been identified, it is logged, prioritized according to severity, and assigned an owner. The owner then tracks the issue and follows up until they can verify that the issue has been remediated. Nexwin Technologies also offers bug bounties for disclosed vulnerabilities from external parties.
Malware Prevention
An effective malware attack can lead to account compromise, data theft, and possibly additional access to a network. Nexwin Technologies takes these threats to its networks and its customers very seriously and uses a variety of methods to prevent, detect and eradicate malware.
We leverage Anti Malware solutions on all corporate laptops and servers. Employees are mandated to use Google's Safe Browsing in Chrome to prevent malware from being installed through infected websites.
Monitoring and Infrastructure
Monitoring and Alerting
Nexwin Technologies invests heavily in the automation of monitoring, alerting and response capabilities so that potential issues are continually addressed—in addition to our complete automation of our build procedures. Engineers and administrators are alerted to anomaly occurrences—particularly application attacks, error rates, and abuse scenarios.
Automatic responses and alerts to appropriate teams are triggered by these and other anomalies so that investigation and correction can occur. The occurrence of malicious or unexpected activities causes automated systems to bring in the right people to ensure issues are rapidly addressed.
Data Center Security
Nexwin Technologies primarily uses Amazon Web Service (AWS) along with Microsoft Azure, Google Cloud Platform (GCP) in the Australia region for our cloud infrastructure, giving flexibility for our customers to choose a provider and region of their choice. We do not move customer data between regions - meaning a customer selecting a region in Australia will have their data stored and processed in Australia.
The physical security of the AWS, and all other, data centers features a layered security model, including safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and biometrics, and the data center floor features laser beam intrusion detection.
Data Encryption
Nexwin Technologies customer data, and our own data, is encrypted when it's on a disk using AES-256bit encryption. Data in transit over the Internet, or traveling between data centers is encrypted using TLS 1.2 or higher. Only standardized encryption protocols and algorithms are used. Passwords are stored securely using a one way hash.
Nexwin Technologies uses AWS KMS for encryption key management. Rotation of keys depends upon the sensitivity of encrypted data. In general, TLS certificates undergo annual renewal.
Data Management
Recovery and High Availability
Nexwin Technologies designs the components of our platform to be highly redundant. Customer data is replicated synchronously in real time over multiple geographically distributed data centers to minimize the effects of regional disruptions such as natural disasters and local outages.
In the event of hardware, software, or network failure, automatic failover allows our customers to continue working in most cases without interruption. Our highly redundant design has allowed us to achieve an uptime of 99.95% for our service with no scheduled downtime.
Data Ownership
At Nexwin Technologies, we prioritize the security and ownership of your data. Nexwin Technologies does not use your data to train any models except those specifically requested by you, such as when you opt to fine-tune models on your proprietary data or build models exclusive to your use.
You retain full ownership of your inputs and outputs and complete control over how long your data is retained. If you choose to utilize your data for training specific models, these models will be exclusively owned by you, ensuring that your data is used solely for your benefit and according to your directives.
Data Segregation
Customer data is logically separated using a unique key in our databases preventing data commingling. If customers prefer more stringent separation we can also set up isolated databases. We maintain separate production, staging and development environments and no production data is used in lower environments.
Employee Access to Customer Data
No customer data persists on employee laptops. We apply the principle of least privilege in all operations to ensure confidentiality and integrity of customer data. All access to systems and customer data within the production network is limited to those employees with a specific business need.
A best effort is made to troubleshoot issues without accessing customer data; however, if such access is necessary, such access is enabled through a Just-In-Time Access (JITA) model in which access to privileged functions is requested for limited durations.
Data Retention and Destruction
Data retention policies are in place to make sure we retain data only up to 30 days after cancellation or termination of service. Thereafter, data will be securely deleted. Customers also can request data deletions and we can process requests on the same day.
Application Security
Secure Software Development
Standard best practices are used throughout our software development cycle from design to implementation, testing, and deployment. All code is checked into a permanent version-controlled repository. Code changes are always subject to peer review and continuous integration testing to screen for potential security issues.
All changes released into production are logged and archived, and alerts are sent to the engineering team automatically. Access to Nexwin Technologies source code repositories requires strong credentials and two-factor authentication.
Secure by Design
All features are reviewed by a team of senior engineers as soon as they are conceived. Members of the Nexwin Technologies team have substantial experience working with, and building secure technology systems. We believe in secure by design, hence we plan all functionalities with security in mind to protect the platform against security threats and privacy abuses.
We leverage modern browser protections, such as Content Security Policy (CSP) and security HTTP headers to prevent Cross-Site Scripting (XSS), Clickjacking and other code injection attacks resulting from the execution of malicious content in the trusted web page context.
Security Testing
Once features are implemented, we perform internal security testing to verify correctness and resilience against attacks. We follow the leading Open Web Application Security Project (OWASP) Testing Guide methodology for our security testing efforts. Discovered vulnerabilities are promptly prioritized and mitigated.
In addition, we regularly engage top-tier third-party security companies to independently verify our applications.
Network Security
Web Application Firewall (WAF) is in place allowing only explicitly authorized ingress traffic.
Intrusion Prevention System (IPS) is in place to detect and block anomalous traffic patterns including DDOS attacks.