Security at Nano AI
Every sub-processor, its purpose, and its hosting region is listed on this page — and the list is versioned.
Infrastructure & encryption
We deploy on established cloud providers and regions matched to each client's needs, with client-dedicated environments available for enterprise engagements. Data is encrypted with TLS 1.2 or higher in transit and AES-256 at rest — the standard we configure on every deployment.
Access control & secrets management
Access follows role-based, least-privilege principles, with multi-factor authentication mandatory on all company systems, quarterly access reviews, and offboarding completed within 24 hours of a staff departure.
No credentials live in application code. Secrets are held in managed secret stores, and client credentials are never shared through chat tools.
Development practices
All code changes go through review, environments are separated (development, staging, production), and versioned prompts are treated as code — reviewed, tested, and rolled back like any other change.
Sub-processor & vendor list
We maintain a published table of every sub-processor — model providers, cloud infrastructure, our WhatsApp Business Solution Provider, and analytics tools — listing its purpose, the data it touches, and its hosting region. The list is updated within 30 days of any change, and clients on a Data Processing Agreement are notified directly.
Certification status & vulnerability disclosure
We operate an ISO 27001-aligned policy set — covering information security, access control, encryption, vendor management, incident response, business continuity, and acceptable use — with a certification audit planned for H1 2027. We have not yet obtained ISO 27001 certification, and we say so plainly rather than implying otherwise.
If you believe you have found a security vulnerability, contact security@nano-ai.net. We aim to respond within 3 business days.