0% platform fee — first 1,000,000 customersClaim 0% fee
Trust Center

Compliance, in plain language and on the record

Frameworks we hold, frameworks we are landing, and the documents your auditor needs. No vendor-questionnaire roulette — every answer is here.

Frameworks tracked
6

Status per framework, never overstated

Controls
Continuous

Enforced by tests + RLS, not periodic audits

DPA + SCCs
Available

Sent within 24 hours of request

Subprocessors
Published

30-day notification on changes

Frameworks

Where every framework actually stands

Status comes straight from one data source and is never restated by hand — achieved, in progress, or available on request. We will not call anything certified until the report is signed.

Audit in progress · Q3 2026

SOC 2 Type II

Nemo Router operates SOC 2-aligned security, availability, and confidentiality controls today — encryption, access control, change management, audit logging, tenant isolation. A formal SOC 2 Type II observation period is underway; the audited report is targeted for Q3 2026. Our infrastructure substrate (Google Cloud Run, Supabase) is already SOC 2 Type II certified.

Controls walkthrough
Aligned — certification planned

ISO/IEC 27001

Information security management practices aligned to ISO/IEC 27001 Annex A controls — asset management, access control, cryptography, operations security, supplier relationships. A formal ISO 27001 certification is on the roadmap; the infrastructure substrate (Cloud Run, Supabase) is independently ISO 27001 certified.

Controls walkthrough
Compliant — DPA available

GDPR

Compliant with the EU General Data Protection Regulation. Data Processing Addendum available for signature, EU Standard Contractual Clauses with subprocessors, data-subject access and erasure tooling built into the dashboard, and EU data residency available on Enterprise.

Read the DPA
BAA available on Enterprise

HIPAA

Nemo Router supports HIPAA-eligible workloads. A Business Associate Agreement (BAA) is available for healthcare customers processing protected health information — request one through the Enterprise team. PII redaction guardrails run on every request at no extra cost.

Request a BAA
Stripe PCI L1 — no card data on our servers

PCI DSS

Nemo Router never touches raw cardholder data. All payments are processed by Stripe, a PCI DSS Level 1 certified service provider; card numbers are tokenized client-side and never reach our servers or database. Your PCI scope for using Nemo Router is therefore minimal.

How payments work
US + EU GA · more on Enterprise

Data residency

Pin where customer data is processed and stored. US is the default footprint; EU residency is generally available on Enterprise, with UK, Canada, Australia, Singapore, and India available on request for residency-sensitive workloads.

Residency map
What we ship in support of each framework

SOC 2 (Type II audit in progress)

  • Encryption at rest (AES-256) + in transit (TLS 1.2+)
  • Postgres RLS on every Nemo table — tenant isolation at the database
  • Immutable audit trail with actor + IP + diff on every administrative action
  • Controls walkthrough + vendor questionnaire response on request (security@)

GDPR

  • Data Processing Agreement (DPA) — sent within 24 hours of request
  • Standard Contractual Clauses (SCCs) for international transfers
  • Data subject rights: access, erasure, portability, restriction
  • Configurable data retention (zero / metadata / full / PII-redacted)

HIPAA

  • BAA available — review + sign within 5 business days
  • PHI-aware redaction via Microsoft Presidio guardrail
  • Audit logging for all data access events
  • EU + US-only data routing options

PCI DSS (delegated to Stripe)

  • Stripe handles all PCI-scoped data
  • Zero card data stored or processed by Nemo Router
  • Stripe Elements + tokenization for every payment flow
  • Webhook signature verification on every Stripe event
Controls

Data protection — measure by measure

The control catalog auditors ask to see, in one table. No marketing fluff between the rows.

Control catalog — 9 measures
MeasureImplementation
Encryption in transitTLS 1.2+ (HSTS preloaded)
Encryption at restAES-256 across Postgres, Redis, object storage
Database isolationRow-Level Security on every Nemo table
API key storageSHA-256 hashed; plaintext shown once
AuthJWT via Supabase Auth + service-role isolation
Credit safetyReserve+settle with atomic credit mutations
Data retentionConfigurable per-org (zero / metadata / full / redacted)
Log retention90 days, auto-purged daily; longer on Enterprise
Financial records7 years (legal obligation)

How these controls fit together — request path, RLS, reserve+settle — is on the security page.

Request

Need something specific?

Signed DPAs, BAAs, vendor questionnaires, and security exhibits go to qualified organizations on request. We respond within one business day.

Trust, in writing

Send your security questionnaire — we will return it

One inbox, one team, one business-day SLA. Bring your auditor along on the kickoff call.