Trust & security

Platform assurance, not adjectives.

Any vendor can say 'secure' and 'tested.' Here's the specific, checkable architecture behind those words at Nexus — most of it verifiable straight from our own public repository, not a claim you have to take on faith.

Data ownership

For Microsoft 365 backup specifically, Nexus writes to an S3-compatible bucket you own (Wasabi, AWS S3, or Cloudflare R2) — not ours. Every object is hashed and verify-checked, and your data was never siloed inside Nexus-owned storage to begin with, so it can't become a hostage to a dispute or an outage on our end.

See "your bucket, your keys" for the full architecture, and the compliance pages for how posture tracking maps to the specific framework your clients answer to.

Report a vulnerability

We don't have a formal bug-bounty program yet — we're a small team and would rather say that than pretend otherwise. What we do have: every report sent to hello@nexusrmm.ai (subject line: "Security") reaches the team directly, and we read and respond to every one.

Incident disclosure

Internally, every significant incident gets a same-day postmortem and a logged evidence trail as a matter of discipline, not a retro nobody writes. If an incident on our infrastructure ever affects a design partner, the commitment is the same standard we hold the rest of this page to: told plainly, and on the timeline the incident actually warrants — not delayed for a better news cycle.

Ask us to show you the architecture directly.

Design partners get a real walkthrough of the isolation and signing model — not a slide deck.