How we protect your data
Overview
NexisLab follows SOC 2 Type II-aligned security practices and GDPR-compliant data handling procedures. We never sell client data. We never use client project data to train AI models. All data is processed only to the extent necessary to deliver our services.
Data We Collect
Client Account Data
Name, email address, company name, billing address, and payment method information (processed via Stripe — we never store raw card numbers). This data is necessary to provide and bill for our services.
Project Data
Files, assets, briefs, content, and other materials you share with us during a project engagement. This data is stored only as long as needed to complete and archive the project.
Website Usage Data
Anonymous analytics (page views, session duration, browser type) collected via privacy-friendly analytics tools. No individual tracking. You can opt out via our Cookie Policy.
Encryption & Storage
All data is encrypted in transit using TLS 1.3 or higher. Sensitive data at rest (including client files, passwords, and billing information) is encrypted using AES-256. Passwords are hashed using bcrypt with a minimum work factor of 12. Backups are encrypted and stored in geographically redundant locations.
Access Control
Access to client data is restricted on a strict need-to-know basis. All NexisLab team members must complete security awareness training annually. Multi-factor authentication (MFA) is mandatory for all internal systems. Access is revoked immediately upon employee offboarding. We conduct annual access reviews across all systems.
Third-Party Processors
We use a limited number of carefully vetted third-party processors, each bound by data processing agreements (DPAs):
- Stripe — payment processing (PCI-DSS Level 1 compliant)
- AWS / Vercel — cloud infrastructure (SOC 2 certified)
- Notion / Linear — project management (SOC 2 certified)
- Google Workspace — internal communication
- Intercom — client support communications
A full list of sub-processors is available on request.
Incident Response
In the event of a security incident affecting client data, we will: (1) contain the incident within 1 hour of detection, (2) notify affected clients within 72 hours as required by GDPR, (3) provide a full incident report within 14 days, and (4) implement remediation measures to prevent recurrence. We maintain a documented incident response plan reviewed quarterly.
GDPR Compliance
NexisLab processes personal data in accordance with the EU General Data Protection Regulation (GDPR). We act as a data processor for client-provided data and a data controller for data collected directly (e.g., contact forms, newsletter subscriptions). You have the right to access, rectify, erase, port, or restrict processing of your personal data. Submit data rights requests to privacy@nexislab.com.
Data Retention
Client project data is retained for 24 months after project completion, then securely deleted or returned to the client. Account data is retained for the duration of the contract plus 12 months. Billing records are retained for 7 years as required by tax law. You may request earlier deletion of non-legally-required data at any time.
Security Contact
To report a vulnerability or security concern, email security@nexislab.com. We operate a responsible disclosure policy and will acknowledge all reports within 24 hours. We do not pursue legal action against researchers who disclose vulnerabilities responsibly.