Security & Compliance

Security and
compliance

Research data is sensitive. NuHelix AI is built with encryption, access controls, and auditability at every layer — so your team can focus on the science.

AES-256 at restTLS 1.3 in transitRBAC per workspaceFull audit trail
Security architecture

Defense in depth

Security controls are layered across encryption, access, infrastructure, and compliance — not bolted on after the fact.

Data Encryption

All data is protected at rest and in transit using industry-standard encryption.

  • AES-256 encryption at rest for all stored files
  • TLS 1.3 enforced for all data in transit
  • Key management via cloud KMS (AWS KMS / GCP Cloud KMS)
  • Signed upload and download URLs — no direct object exposure
  • Per-workspace encryption key isolation

Access Controls

Fine-grained access controls ensure data is only accessible to authorized users.

  • Role-based access control (RBAC) per workspace
  • Per-workspace isolation — no cross-tenant data access
  • Comprehensive audit logs for all user and system actions
  • Session management with configurable token expiry
  • Two-factor authentication (2FA) — planned

Infrastructure

Built on hardened cloud infrastructure with automated resilience controls.

  • Hosted on AWS and GCP with regional availability
  • VPC isolation with private subnets for compute jobs
  • Automated daily backups with 30-day retention
  • Disaster recovery with RTO < 4 hours
  • Infrastructure-as-code managed deployments

Compliance Posture

NuHelix AI is building toward the compliance standards required for regulated research.

  • SOC 2 Type II — in progress
  • HIPAA-ready controls — available on Enterprise with BAA
  • GDPR data subject controls (deletion, export, portability)
  • Data Processing Agreements (DPA) available on request
  • Annual penetration testing
Compliance status

Certifications and standards

We are transparent about what is active, what is in progress, and what requires an enterprise plan.

Planned

SOC 2 Type II

Independent audit of security, availability, and confidentiality controls across our infrastructure.

Enterprise

HIPAA Ready

Controls and BAA available for enterprise customers processing protected health information.

Active

GDPR Controls

Data subject rights, deletion workflows, and data processing agreements in place.

Active

TLS 1.3

All API and web traffic enforces TLS 1.3. Older protocols rejected at the edge.

Active

AES-256

Object storage encrypted at rest using AES-256, managed via cloud KMS.

Planned

Pen Testing

Annual third-party penetration testing with remediation tracking.

Active| Planned| Enterprise only

Data retention

You control your data

Configurable retention policies, self-service deletion, and GDPR right-to-erasure support — no support ticket required.

Configurable retention

Set workspace-level retention policies for uploaded files and generated outputs. Automated cleanup enforces your policy.

Self-service deletion

Delete files, projects, or your entire workspace from the settings panel. Permanently removed within 30 days.

Right to be forgotten

Submit a deletion request to remove all personal data from our systems, including backups, within 30 days.

Default retention schedule

Uploaded input files
90 days (configurable)
Generated outputs (tables, figures)
90 days
Analysis reports
12 months
Provenance metadata
24 months
Audit logs
12–36 months
Audit trail

Complete activity logging

Every meaningful action in your workspace is recorded with a tamper-resistant audit log. Available to workspace admins at any time.

Logged event types

Active
EventRetention
User login / logout12 months
File upload / download12 months
Job submission / completion24 months
Role changes24 months
Workspace settings changes12 months
Data deletion requests36 months

Audit logs are available to workspace admins via the Settings → Audit Log panel or via API export.

Trust FAQ

Trust and transparency

Questions about how we handle your data and respond to incidents.

Who owns the data I upload?

You retain full ownership of all data you upload. NuHelix AI does not use your data for training, product development, or any purpose beyond executing your requested workflows. You can delete your data at any time.

How do I permanently delete my data?

You can delete individual files, entire projects, or your full workspace from the platform settings. Deletion requests trigger permanent removal from object storage within 30 days, including backups. A deletion confirmation is emailed to you.

Where is my data stored (data residency)?

By default, data is stored in AWS US-East and EU-West regions. Enterprise customers can configure a dedicated region for storage and compute to meet jurisdictional data residency requirements.

Can NuHelix AI employees access my data?

Access to customer data by NuHelix AI personnel is strictly restricted and requires explicit authorization for support purposes only. All such access is logged in the audit trail and subject to our access control policy.

What happens in a security incident?

We follow a documented incident response plan: contain, assess, notify, and remediate. Affected customers are notified within 72 hours of a confirmed breach in accordance with GDPR and applicable regulations. A post-incident report is provided to enterprise customers.

Enterprise compliance

Have specific compliance requirements?

Enterprise customers can access HIPAA BAAs, custom data residency, dedicated infrastructure, and compliance documentation packages.