Nuant security policy

1 - Transparency and Notice

- Our users are informed about how, when, and why their data is being collected.
- Clear, concise, and easily accessible privacy policies detail the types of data collected, the purposes for which they are used, and the parties with whom they may be shared.

2 - Data Minimisation

- We only collect data that is absolutely necessary for the specific purpose outlined.
- Avoid collecting data "just in case" it might be needed in the future.
- User data is to be used solely for the purposes stated at the time of collection and not for other hidden or ulterior motives.
- User data is retained only as long as necessary to fulfill the stated purposes. After the purpose is served, or post the data retention period, data is securely deleted

3 - Security and Protection
‍
- We employ strong and industry-standard security measures to protect user data from unauthorised access, alteration, theft, and damage.
- This includes using encryption, regular security audits, and penetration testing.

4 - Accountability and Oversight
‍
- The company is accountable for adhering to these principles, even if third parties process the data on their behalf.
- Regular privacy impact assessments and audits ensure ongoing compliance.

4 - Accountability and Oversight
‍
- The company is accountable for adhering to these principles, even if third parties process the data on their behalf.
- Regular privacy impact assessments and audits ensure ongoing compliance.

Stored data
‍
All our S3 buckets are encrypted and our infrastructure rules don’t let us create unencrypted ones. Our databases are solely accessible for our secured backends
‍
In-transit data
‍
Nuant uses TLS 1.2 or higher to ensure encryption over potentially insecure networks.  Server TLS keys and certificates are managed by AWS and deployed via Application Load Balancers.  

Secrets  

Encryption keys are managed by AWS SSE-KMS (Server Side Encryption Key Management System). All our Key are generated through AES-GCM. Application secrets are encrypted and stored securely via AWS Secrets Manager and Parameter Store, and access to these values is strictly limited.

Pen test
‍
Nuant commits to perform a Penetration Test on a yearly basis. This PenTest is executed by our partner Cacillian.
‍
Endpoints

All our public and private API endpoints are secured either using a JWT token signed by RS256 protocol or by an API gateway generated API-key  

Engineering

Our developers write code with a security-first approach, and are applying state-of-the-art best practices in their daily work

Devices protection

All of our computers are monitored by an agent indicating the activation of mandatory:  - firewalls - HDD encryption - malware and antivirus protection  

Identity and access management

Nuant FusionAuth for external users and accesses, Google SSO for internal ressources.  Nuant employees are granted accesses based on their role in the company, and a yearly review of the accesses is performed by our Security team  All accesses, wether they are sensitive or not, require MFA authentication whenever available. This policy is enforced company-wide.  

Remote Access

All of our remote accesses to our development, staging, tooling and production resources are secured by the mandatory use of Tailscale, a modern VPN platform built on WireGuard.

Human factor

Nuant ensures its employees are going through a security training upon onboarding, and annually through educational modules built by a worldwide recognised experts from a 3rd party company. All of our contractors are following the same rules as our employees with regards to security