Skip to content
Security

How we protect your data and your customers'

Security by design at every layer of Nuvlyx: encryption, multi-tenant isolation, access controls, incident response, and regulatory compliance.

1. Our commitment

At Nuvlyx, operated by Moshipp SAS, security is a pillar of the service, not an add-on. Our model is built on defense in depth, least privilege, and zero implicit trust principles applied across infrastructure, application, and processes. This document summarizes the technical and organizational measures we apply to protect Owners’ and end customers’ data.

2. Encryption and transport

  • At rest: sensitive data is encrypted with AES-256. Credentials and tokens are stored using collision-resistant algorithms and never in plain text.
  • In transit: all client-server communication uses TLS 1.3 with perfect forward secrecy. We force HTTPS and apply HSTS policies.
  • Secrets: integration keys (e.g., Bancolombia OAuth2) are stored in a Vault-like secrets manager with granular access control and rotation.

3. Multi-tenant isolation

Nuvlyx is multi-tenant: each Owner operates in its own logical tenant. We enforce isolation with Row Level Security (RLS) at the database layer, so isolation does not depend solely on the application: even in the event of a logic bug or leak attempt, the database rejects cross-tenant queries.

Caches, queues, and file storage also carry tenant keys to preserve isolation outside the transactional layer.

4. Access controls

  • Authentication: email and strong password, with multi-factor authentication (MFA) and OAuth providers supported per plan.
  • Authorization: role-based access control (RBAC) for Owner staff accounts, following least privilege.
  • Sessions: tokens expire on inactivity, rotate upon password changes, and can be revoked in real time.
  • Rate limiting: per-IP, per-user, and per-endpoint limits to mitigate credential stuffing, brute force, and API abuse.
  • Internal access: only authorized personnel access production data, with segregation of duties, audit logging, and mandatory MFA.

5. Infrastructure

We use leading cloud providers with world-class security certifications (ISO 27001, SOC 2). Services are deployed in private networks with firewalls, layered segmentation, and deny-by-default rules. Inbound traffic passes through a CDN with DDoS mitigation and WAF rules for known attack patterns.

Code dependencies are kept up to date via automated vulnerability scans and periodic reviews.

6. Backups and recovery

  • Automatic backups of databases, stored in a region separate from the primary.
  • Retention of at least 30 days, with point-in-time versions for fine-grained recovery.
  • Restore drills are performed periodically to validate backup integrity.
  • Custom/Scale plan: dedicated backups with custom frequencies and recovery SLAs are available.

7. Monitoring and audit

We log authentication events, administrative changes, critical actions, and system errors. Logs are immutable within their retention window and are used for incident investigation and operational auditing. Alerts fire automatically on anomalous patterns (e.g., unusual failed login volumes or unexplained usage spikes).

8. Vulnerability management

  • Automated scanning in the deployment pipeline (SAST and SCA).
  • Manual code review for sensitive changes.
  • Periodic penetration tests on critical components.
  • Timely patching of dependencies and operating systems.

9. Incident response

We maintain an incident response plan covering detection, containment, eradication, recovery, and lessons learned. When an incident affects personal data, we notify Owners and, when appropriate, the competent authority (SIC in Colombia) within the legal deadlines.

10. Compliance

We operate in Colombia under Law 1581 of 2012 and Decree 1377 of 2013, and align our practices with recognized international frameworks. Specific certifications and current audits can be requested at hola@nuvlyx.com.

11. Report a security issue

If you discover a vulnerability or suspect an incident, please email us at hola@nuvlyx.com with as much detail as possible (steps to reproduce, estimated impact, evidence). We investigate all good-faith reports and, when appropriate, publicly acknowledge contributors. Please do not publicly disclose the finding before coordinating a reasonable remediation window with us.