Security

All API traffic is encrypted with TLS 1.3. We do not accept connections below TLS 1.2. Certificate pinning is available for enterprise on-premise deployments.

Job data, experiment logs, and account information are encrypted at rest with AES-256. Encryption keys are managed via AWS KMS with automatic annual rotation.

API keys can be scoped to specific operations (read-only, submit-only, admin). Business accounts support team-level key management with per-member granularity.

GPU compute nodes run in isolated VPCs with no public ingress. Job data is transmitted over private network interfaces between the API gateway and the compute layer.

All API calls, job submissions, and administrative actions are logged with timestamps, IP addresses, and key identifiers. Logs are immutable and retained for 12 months on Business plans.

We commission third-party penetration tests annually. The most recent report (March 2026) is available to enterprise customers under NDA.

NEROX is in the process of completing SOC 2 Type II certification (expected Q3 2026). A current readiness report is available to enterprise customers upon request.

All dependencies are scanned for known vulnerabilities on every build. We use Dependabot and Snyk for automated alerting and patch management.