Nexivo AI
Access platform
Back to home

Security at Nexivo

Last updated: June 30, 2026

Nexivo LLC was founded in Columbus, Ohio in 2024 by a team of engineers and product leaders who spent the previous decade shipping software inside Fortune 500 enterprises, regulated healthcare platforms and venture-backed startups. Security was the discipline that shaped how we wrote code in those environments, and it is the discipline that shapes Nexivo AI today.

This page summarizes the controls, practices and commitments that protect customer data on the Nexivo AI platform. It is intended as a plain-language reference for buyers, security reviewers and customers. A detailed security questionnaire and our current sub-processor list are available on request.

Company posture

Nexivo LLC is a U.S. company headquartered at 2025 Riverside Drive, Columbus, OH 43221. The platform is built and operated by a small, fully employed engineering team — we do not outsource core development or production operations. Security ownership sits with the founding engineering team, and every employee with production access completes background screening and annual security training.

Encryption

All customer data is encrypted in transit using TLS 1.3 with modern cipher suites, and at rest using AES-256. Database backups, object storage and log archives are encrypted with keys managed in a hardware-backed key management service. TLS certificates rotate automatically and we enforce HSTS across all customer-facing domains.

Application security

Nexivo AI is developed against the OWASP Top 10 and OWASP ASVS Level 2 control set. Every change is reviewed by a second engineer, scanned for known vulnerable dependencies and run through static analysis before it reaches production. We run an independent third-party penetration test at least annually and after any material change to the platform's trust boundary.

Infrastructure and data isolation

The platform runs on hardened cloud infrastructure in U.S. regions. Customer prompts, generated artifacts and account metadata live in encrypted Postgres with row-level security policies enforced at the database layer, so a workspace can only ever read its own data. Production environments are logically separated from staging and development, with no shared credentials or data between them.

Access control

Production access is limited to a small, named set of engineers, granted on the principle of least privilege and reviewed quarterly. All administrative access is gated by hardware-key multi-factor authentication and recorded in an immutable audit log. We do not permit shared accounts and we rotate credentials on personnel change.

AI and customer content

We do not use customer prompts, generated artifacts or workspace metadata to train Nexivo's own models or any third-party model. When a request is routed to an upstream model provider, it is sent under a zero-retention contractual configuration wherever the provider supports it. Customer content is processed solely to deliver the service the customer requested.

Monitoring and incident response

We continuously monitor application logs, infrastructure metrics and authentication events for anomalies. Our incident response process defines severity levels, on-call rotations, customer-communication timelines and post-incident review requirements. In the event of a confirmed security incident affecting customer data, Nexivo will notify affected customers without undue delay and in accordance with applicable law.

Compliance roadmap

Nexivo aligns its controls with the SOC 2 Trust Services Criteria. SOC 2 Type I is currently in progress with an independent auditor; Type II is scheduled for the following observation window. We process personal data in a manner consistent with the GDPR and the CCPA, and we will sign a data processing agreement with customers on request.

Reporting a vulnerability

We welcome reports from the security research community. If you believe you have discovered a vulnerability, please email security@nexivollc.com with a clear description and steps to reproduce. We will acknowledge receipt within two business days and work with you in good faith on a coordinated disclosure timeline.

Contact

For security questionnaires, the latest sub-processor list, our data processing agreement or any other security enquiry, write to contact@nexivollc.com.

For questions, write to contact@nexivollc.com.