nex0

← Documentation

Security & data governance

Data handling, GDPR posture, EU AI Act classification and responsible disclosure.

Vera makes operational decisions about real people and real obligations. The security and governance posture is designed to be explainable to a customer's DPO in one meeting.

Data handling principles

  • You own your data. Rules, facts and decision history belong to the customer, with structured export available at any time. No lock-in by data hostage.
  • No training on customer data. Customer data is never used to train or fine-tune models — ours or anyone else's.
  • Minimal model exposure. Only the prompt text needed for translation reaches the model endpoint; operational stores are never exposed to it. With a self-hosted model, nothing leaves the deployment at all.
  • EU-region storage. All customer data is stored in EU-region infrastructure. We do not transfer customer operational data outside the EU/EEA.

GDPR

For platform data, the customer is the controller and Nex0 the processor under a data processing agreement. Operational data inevitably includes personal data (technician names, schedules, certifications), so the DPA, records of processing and sub-processor list are maintained as first-class deliverables. Audit-trail records support — rather than hinder — data-subject requests, because every use of a person's data in a decision is itself logged.

EU AI Act

Vera is a decision-support and operational-automation system for logistics; in deployed configurations it falls into the limited / minimal risk categories. Two product properties matter here:

  1. Human oversight is a configured property — approve-mode keeps a human in the loop per decision class, and autonomy ceilings are enforced at the engine, not in UI.
  2. Traceability is structural — the complete decision record (facts, rule versions, candidates, verdicts, approver) exists for 100% of decisions, which anticipates transparency obligations rather than retrofitting them.

Application security

  • TLS in transit, encryption at rest for both stores.
  • Scoped API keys (vera_sk_) per integration; revocation is immediate.
  • Append-only audit log; no deletion path exists in the application layer.
  • Role-based access in the console; rule changes require authorship and are versioned.

Validation evidence

The extraction evaluation suite, determinism test regime and production validation evidence are published in the public documentation on GitHub (docs/validation.md).

Responsible disclosure

Security findings — in the platform, the demo environment or this website — should go to security@nex0.tech. We acknowledge within two business days, and we don't pursue good-faith researchers.

Deployment