Security Policy

Last updated: June 23, 2026

Security is foundational to Nuera, Inc. (“Nuera”). Our customers connect documents, databases, APIs, and live tools to autonomous agents that act on their behalf, so protecting that data — and the systems that process it — is central to how we build and operate the Nuera AI workspace (the “Platform”). This Security Policy describes the controls and practices we use to keep the Platform and your data secure.

1. Compliance and certifications

  • SOC 2 Type II. Nuera maintains a SOC 2 Type II program covering the security, availability, and confidentiality of the Platform. A copy of our current report is available to customers and prospects under NDA on request.

  • GDPR. The Platform is built to support compliance with the EU and UK GDPR. Our Data Processing Agreement, including Standard Contractual Clauses for international transfers, is available to customers.

  • CCPA/CPRA. We act as a service provider under California privacy law and contractually limit our processing of personal information to providing the Platform.

To report a concern or request our security documentation, contact security@nuera.ai.

2. Infrastructure and hosting

The Platform runs on leading cloud infrastructure providers operating data centers that maintain their own independent certifications (such as ISO 27001 and SOC 2). Production environments are logically separated from development and testing, deployed across multiple availability zones for resilience, and provisioned through infrastructure-as-code with peer review and change control.

3. Encryption

  • In transit. All traffic to and within the Platform is encrypted using TLS 1.2 or higher.

  • At rest. Customer Data and backups are encrypted at rest using AES-256 or equivalent.

  • Key management. Encryption keys are managed through our cloud providers’ managed key services, with restricted access and regular rotation.

  • Secrets. Credentials and integration secrets are stored in a dedicated secrets manager, encrypted, and never exposed in logs.

4. Authentication and access control

  • SSO and SAML. Single sign-on and SAML are supported so you can enforce your own identity policies.

  • SCIM provisioning. Automated user provisioning and de-provisioning are available on eligible plans.

  • Role-based access control (RBAC). Granular roles and permissions let you control who can build, run, approve, and observe agents and workflows.

  • Multi-factor authentication. MFA is supported for account access.

  • Least privilege. Internal access to production systems follows least-privilege principles, is granted only to personnel who need it, requires strong authentication, and is reviewed regularly.

5. Audit logs and observability

The Platform includes built-in observability and audit logging. Every agent and workflow run can be traced end to end, and administrative and security-relevant events are logged. Audit logs are available to customers on eligible plans to support monitoring, investigation, and compliance.

6. Tenant isolation and data segregation

The Platform is multi-tenant by design, with logical isolation that segregates each customer’s Workspace, Customer Data, agents, workflows, and run traces. Access to Customer Data is scoped to the owning Workspace and the permissions you configure. Enterprise customers may use dedicated infrastructure for additional isolation.

7. Application and product security

  • Secure development lifecycle. Security is integrated into design, code review, and release. Changes are peer-reviewed before deployment.

  • Automated testing. We use static analysis, dependency and vulnerability scanning, and secret scanning in our CI/CD pipeline.

  • Penetration testing. We engage qualified third parties to conduct regular penetration tests and remediate findings based on severity.

  • Guardrails. The Platform provides configurable guardrails, approvals, and human-in-the-loop controls so you can constrain what agents are permitted to do.

8. Network security

We protect the Platform with firewalls and security groups, a web application firewall, DDoS protection and rate limiting, and network segmentation between tiers. Production access is restricted and monitored, and administrative interfaces are not exposed to the public internet.

9. AI and model security

Agents transmit only the prompts and context required for a task to AI model providers and to the integrations you connect. We bind model and infrastructure providers to confidentiality and data-protection obligations, and Customer Data is not used to train Nuera’s or any provider’s foundation models. Guardrails, approvals, and observability give you visibility into and control over what agents do with your data.

10. Vulnerability and patch management

We continuously monitor for vulnerabilities across our infrastructure and dependencies, prioritize remediation by severity, and apply security patches promptly. Critical issues are escalated and addressed on an expedited basis.

11. Monitoring and incident response

We monitor the Platform for security and availability events using centralized logging and alerting. We maintain a documented incident response plan with defined roles, severity levels, and escalation paths. In the event of a security incident affecting Customer Data, we will investigate, take steps to contain and remediate, and notify affected customers without undue delay and in accordance with our agreements and applicable law.

12. Availability, backups, and disaster recovery

We design the Platform for high availability and target 99.9% uptime. Customer Data is backed up regularly, backups are encrypted, and we maintain business continuity and disaster-recovery procedures that are tested periodically to enable restoration in the event of a disruption.

13. Personnel security

Employees and contractors undergo background checks where permitted by law, agree to confidentiality obligations, and complete security and privacy training at onboarding and periodically thereafter. Access to systems and data is provisioned on a need-to-know basis and revoked promptly when no longer required.

14. Subprocessor management

We perform security and privacy due diligence before engaging subprocessors that process Customer Data, bind them to data-protection terms, and maintain an up-to-date list of subprocessors in our Data Processing Agreement. We provide a mechanism for customers to receive notice of new subprocessors.

15. Shared responsibility

Security is a shared responsibility. Nuera secures the Platform and the infrastructure it runs on; you are responsible for safeguarding your credentials, configuring SSO, MFA, and RBAC appropriately, defining guardrails and approvals for your agents, managing the integrations and data you connect, and reviewing agent Output before relying on it.

16. Responsible disclosure

We welcome reports from security researchers. If you believe you have found a vulnerability, please report it to security@nuera.ai with enough detail to reproduce the issue. We ask that you avoid accessing or modifying data that is not yours, avoid service disruption, and give us a reasonable opportunity to remediate before public disclosure. We will acknowledge legitimate reports, work with you on remediation, and will not pursue action against good-faith research conducted in line with this policy.

17. Contact

Nuera, Inc. — San Francisco, California, United States

Nuera

The AI workspace that turns your data and workflows into autonomous, production-ready intelligence.

© 2026 Nuera, Inc. All rights reserved.

Chat

Chat

Buy now

Buy now

Create a free website with Framer, the website builder loved by startups, designers and agencies.