New0% platform fee on Tier 2+ — upgrade from 4% Pay As You Go. Start now

Security

Security at NemoRouter

Nemo Router takes the security of your data seriously. Here is how we protect the NemoRouter platform with enterprise-grade encryption, isolation, and access controls.

Encryption

  • TLS 1.2+ for all data in transit (HSTS enforced)
  • AES-256 encryption at rest for all stored data
  • API keys hashed with SHA-256 — full keys shown once at creation, never stored in plaintext

Tenant Isolation

  • Row-Level Security (RLS) on all 22 database tables — no exceptions
  • Every query scoped by organization_id — no cross-tenant data access
  • JWT-based authentication via Supabase Auth
  • Organization membership verified on every request

Access Control

  • Role-based access control (Owner, Admin, Member, Viewer)
  • Virtual API keys with per-key spend tracking, rate limiting, and budget enforcement
  • Master key isolated to a single service — never exposed to users or external APIs
  • Playground uses user-provided virtual keys only (stored in browser sessionStorage, cleared on tab close)

Infrastructure

  • Content Security Policy (CSP) and X-Frame-Options headers
  • Webhook signature verification on all Stripe events
  • Advisory locks for atomic credit operations (no race conditions)
  • Reserve+settle pattern for credit mutations (no TOCTOU exploits)

Guardrails

  • PII redaction (Microsoft Presidio integration)
  • Content filtering and prompt injection detection
  • ReDoS protection with fail-closed behavior
  • Configurable per-organization: pre-call, during-call, and post-call enforcement

Compliance

Active

SOC 2 Type II

Annual audit covering security, availability, and confidentiality

Compliant

GDPR

Data Processing Agreement (DPA) available, data subject rights supported

Eligible

HIPAA

BAA available for healthcare organizations on Enterprise plan

For compliance documentation, see our Trust Center.

Reporting a Vulnerability

If you discover a security vulnerability, please report it responsibly. Do not open a public GitHub issue for security vulnerabilities.

  • We acknowledge receipt within 48 hours
  • We aim to fix critical issues within 7 days
  • We follow responsible disclosure practices

CloudAct Inc.

100 S Murphy Ave

STE 200 PMB4013

Sunnyvale, CA 94086

United States

Security Team: security@nemorouter.ai

Phone: +1 (850) 988-7471

See also: Privacy Policy · Terms of Service · DPA

Ready to get started?

Start building with enterprise-grade security from day one. No commitments required.

Get Started FreeContact Enterprise