Any vendor can say 'secure' and 'tested.' Here's the specific, checkable architecture behind those words at Nexus — most of it verifiable straight from our own public repository, not a claim you have to take on faith.
Integration credentials are encrypted at rest under a dedicated application secret key. Production is configured to refuse to run misconfigured rather than silently store a secret in plaintext.
Classification checks, a dependency audit, secret-scanning, and the full automated test suite all have to pass before any change reaches the production branch — no exceptions for a fast-moving week.
For Microsoft 365 backup specifically, Nexus writes to an S3-compatible bucket you own (Wasabi, AWS S3, or Cloudflare R2) — not ours. Every object is hashed and verify-checked, and your data was never siloed inside Nexus-owned storage to begin with, so it can't become a hostage to a dispute or an outage on our end.
See "your bucket, your keys" for the full architecture, and the compliance pages for how posture tracking maps to the specific framework your clients answer to.
We don't have a formal bug-bounty program yet — we're a small team and would rather say that than pretend otherwise. What we do have: every report sent to hello@nexusrmm.ai (subject line: "Security") reaches the team directly, and we read and respond to every one.
Internally, every significant incident gets a same-day postmortem and a logged evidence trail as a matter of discipline, not a retro nobody writes. If an incident on our infrastructure ever affects a design partner, the commitment is the same standard we hold the rest of this page to: told plainly, and on the timeline the incident actually warrants — not delayed for a better news cycle.
Design partners get a real walkthrough of the isolation and signing model — not a slide deck.