Documentation Index
Fetch the complete documentation index at: https://docs.nusomi.com/llms.txt
Use this file to discover all available pages before exploring further.
Standards
| Standard | Status | Report |
|---|
| SOC 2 Type II | Annual audit. Latest report covers the trailing 12 months. | Available under NDA. |
| ISO 27001 | Certified. | Certificate available on request. |
| ISO 27701 (privacy) | Certified. | Certificate available on request. |
| GDPR | DPA available. EU data residency on the eu-west-1 deployment. | DPA on request. |
| HIPAA | BAA available on enterprise tier. | BAA on request. |
| PCI DSS | We do not process cardholder data; masking patterns prevent capture of PAN-shaped strings. | N/A. |
| FedRAMP Moderate | In progress. | Status update on request. |
Control mapping (selected)
The full controls matrix lives in the SOC 2 report. A subset, mapped to where the control surfaces in the product:
| Control area | How it’s enforced |
|---|
| Logical access | SSO / SAML / OIDC. Workspace roles. API key scopes. JIT replay tokens. |
| Encryption in transit | TLS 1.3, mTLS optional self-hosted. |
| Encryption at rest | AES-256 + customer-managed keys (BYOK) on enterprise. |
| Network segmentation | Per-tenant VPC subnets (SaaS) / customer VPC (self-hosted). |
| Vulnerability management | Quarterly internal scans, annual external pen test, bug bounty. |
| Change management | All deploys peer-reviewed, signed images, CI-enforced. |
| Audit logging | Every access logged. SIEM export. 18-month retention default. |
| Incident response | 24×7 on-call. 4-hour customer notification SLO. Post-mortems published within 10 business days. |
| Backup & DR | Postgres PITR + cross-region object replication. Quarterly DR drill. |
| Vendor management | Subprocessor list published; customer notification on additions. |
Subprocessors (SaaS)
- AWS — primary infrastructure.
- Cloudflare — edge + DDoS protection.
- Datadog — observability (no customer frame/event content sent).
- Stripe — billing.
The list is published at nusomi.com/legal/subprocessors. We notify customers 30 days before adding a new subprocessor.
Data residency
| Region | Endpoint |
|---|
| US | api.nusomi.com (us-east-1) |
| EU | eu.api.nusomi.com (eu-west-1) |
| APAC | apac.api.nusomi.com (ap-south-1) |
Retention
| Data | Default retention |
|---|
| Frames | 90 days, then auto-archive to cold storage. Configurable 1–3650 days. |
| Events | 18 months. Configurable. |
| Memory graph | Indefinite (workflow-level structure, no PII). |
| Audit log | 18 months. Configurable. |
Test-mode sessions (nsk_test_…) | 7 days, hard delete. |
| Soft-deleted sessions | 30 days, then hard delete. |
PATCH /v1/workspaces/current
{
"retention": {
"frames_days": 30,
"events_days": 180
}
}
Right to erasure (GDPR / CCPA)
End-user erasure requests are filed via:
{
"subject": "alex@acme.com",
"scope": "all"
}
- Find every session whose actor or metadata references the subject.
- Hard-delete frames and events.
- Strip subject references from the memory graph.
- Log the erasure in the audit trail.
Completed within 30 days. The audit-trail entry is the only artifact retained.
Requesting reports
Email security@nusomi.com from a verifiable address with:
- Your workspace ID (or “evaluating”) and the report you need.
- Your NDA (or ask us to send our standard one).
Same-day turnaround for SOC 2 / ISO certificates. DPA / BAA executed within five business days.