trust · security

Security at n0limit

We investigate security incidents for a living. Our own infrastructure is held to the same standard we hold the threats we catch. Every access decision is logged. Every verdict is audited. No black boxes here either.

CURRENT
SOC 2 Type II
Annual audit · AICPA trust criteria
CURRENT
ISO 27001
Information security management
CURRENT
GDPR ready
DPA available · SCCs in place
CURRENT
HIPAA
BAA available for covered entities
CURRENT
Pen tested
Quarterly external assessment

Infrastructure

The n0limit platform runs on cloud infrastructure operated by Tier-1 providers with physical security, redundancy, and independent compliance certifications. All production systems are hosted in SOC 2 Type II and ISO 27001 certified data centers.

ISOLATION
Tenant isolation
Each customer environment is logically isolated at the storage, compute, and network layers. Customer data never co-mingles across tenants.
RESILIENCE
High availability
Multi-zone deployment for all production workloads. Automated failover. 99.9% uptime SLA for Growth and Enterprise tiers.
BACKUP
Data durability
Continuous backups with point-in-time recovery. Backup data encrypted and stored in a separate region. Restoration tested quarterly.
PIPELINE
Change management
All production changes require peer review and pass automated test suites before deployment. No unreviewed code reaches production.

Data security

Security telemetry is the most sensitive data in a SOC. We treat it accordingly.

Encryption

  • In transit: TLS 1.2 minimum for all data in motion. TLS 1.3 enforced on all new connections. HSTS enabled.
  • At rest: AES-256 encryption for all stored data, including backups and telemetry archives.
  • Key management: Encryption keys managed by a dedicated key management service. Customer-managed keys (BYOK) available for Enterprise.

Data handling

  • Customer security telemetry is used only to deliver investigation results back to that customer
  • No cross-tenant data access or aggregation
  • Data is deleted within 30 days of contract termination from production systems; 90-day backup retention
  • Employees may not access customer data without an explicit, logged, and time-limited business justification

Access controls

The principle of least privilege is enforced throughout the platform — both for end users and for n0limit employees.

  • Authentication: All platform access requires multi-factor authentication (MFA). Phishing-resistant MFA (hardware keys or passkeys) required for privileged roles.
  • Role-based access: Permissions are scoped to job function. No implicit admin access. All role changes are reviewed and logged.
  • Privileged access: Just-in-time (JIT) access for administrative operations. All privileged sessions are recorded and retained for 12 months.
  • Employee offboarding: All access revoked within one hour of employment termination.
  • Third-party access: Vendors and contractors operate under written agreements with security and confidentiality obligations. Access is scoped and time-limited.

Network security

  • All ingress is routed through a Web Application Firewall (WAF) with rate limiting and bot mitigation
  • Internal services communicate over private network segments, never exposed to the public internet
  • All external API endpoints use certificate-based mutual TLS (mTLS) for machine-to-machine integration
  • DDoS mitigation active at the edge layer
  • Intrusion detection and anomaly monitoring on all production network traffic

Incident response

We maintain a documented incident response plan, tested twice per year with tabletop exercises. Severity tiers and escalation paths are documented and role-assigned.

Notification commitments

  • Critical incidents affecting customer data: notification within 72 hours of confirmation, as required by GDPR and consistent with other applicable regulations
  • Platform degradation: Status updates published at status.n0limit.com within 15 minutes of detection
  • Post-incident: Root cause analysis and corrective action summary provided to affected customers within 10 business days

Responsible disclosure

Report a vulnerability

If you've identified a security issue in n0limit's platform, infrastructure, or public-facing properties, we want to hear from you. We treat every report seriously and respond on the same timeline we hold ourselves to for our customers.

security@n0limit.com

PGP key available on request for encrypted disclosures.

Our process

Day 1 Acknowledgment of your report
Day 5 Initial triage and severity assessment communicated
Day 30 Remediation target for critical and high severity findings
Day 90 Coordinated public disclosure (by mutual agreement)

Scope

In scope: n0limit platform, API endpoints, web application, and customer-facing infrastructure. Out of scope: social engineering, physical security testing, denial-of-service attacks, and third-party services we do not control.

Researchers who report in good faith, act within this scope, and do not access or modify customer data will not face legal action from n0limit. We are committed to coordinated and fair disclosure.

Compliance

Compliance documentation available to current and prospective customers under NDA:

  • SOC 2 Type II report — available on request
  • ISO 27001 certificate — available on request
  • Penetration test summary — executive summary available on request
  • Data Processing Agreement (DPA) — standard DPA at legal@n0limit.com; Enterprise customers may request custom terms
  • Business Associate Agreement (BAA) — available for covered entities and business associates under HIPAA
  • Sub-processor list — available at privacy@n0limit.com

Security contact

For vulnerability reports, security concerns, or compliance documentation requests: