NexWave Logo
Security & Infrastructure

Security at
every layer.

NexWave combines AWS-backed hosting, provider SOC 2, ISO 27001 and ISO 9001 certifications, and application-layer security practices for NexWave-specific code, integrations and customer configuration.

NexWave defence in depth: a protected data core wrapped in hosting-provider, NexWave application and customer-tenant security layers
AWS hosting
Managed cloud infrastructure with regional options.
Provider certifications
SOC 2, ISO 27001 and ISO 9001 for the hosting environment.
Tenant controls
RBAC, 2FA, SSO, IP restrictions and audit trail.
Security workflow
Peer review, CI scans, disclosure intake and remediation tracking.

Security practices, clearly scoped

We separate hosting-provider certifications, NexWave application-layer security practices and customer tenant configuration so each responsibility is clear.

1. Hosting provider layer

NexWave customer instances run on AWS-backed managed infrastructure. The hosting provider maintains SOC 2, ISO 27001 and ISO 9001 certifications for the relevant operating environment.

2. NexWave application layer

NexWave-specific code, integrations and implementation changes are covered by review, test, scanning and triage practices separate from the hosting provider's certifications.

3. Customer tenant policy

Tenant administrators control users, roles, identity settings, integration choices and internal governance. NexWave provides the controls and onboarding guidance.

Hosting-provider certifications

NexWave runs on AWS-backed managed hosting infrastructure. The hosting provider maintains SOC 2 Type II, ISO 27001:2022 and ISO 9001:2015 certifications for the relevant cloud and operating environment.

These certifications apply to the provider's environment. They do not certify NexWave-specific application code, integrations or customer-specific customisations.

Provider SOC 2 Type II

Applies to the provider's audited hosting or cloud operating environment, subject to the scope of the provider certification.

Provider ISO 27001:2022 and ISO 9001:2015

Applies to the provider's information security and quality management controls, subject to the scope of each provider certification.

NexWave application layer

NexWave does not currently hold separate SOC 2, ISO 27001 or ISO 9001 certification for the NexWave product company, application code or customisations.

Regional hosting and tenant isolation

NexWave runs on Amazon Web Services. Your tenant can be pinned to a chosen AWS region at provisioning, including Sydney (ap-southeast-2) for ANZ data residency.

Standard deployments use logical tenant isolation. For organisations with stricter requirements, dedicated infrastructure and bring-your-own-server options can be scoped.

Data residency

Choose the AWS region at provisioning, with Sydney available for most New Zealand and Australian customers.

Elastic infrastructure

The hosting layer can scale resources as usage changes, reducing the need for customer-side infrastructure management.

Amazon Web Services

Standard tier

Logical isolation per tenant on shared managed infrastructure. The default for most customers.

  • Dedicated database per tenant
  • Dedicated file storage per tenant
  • Separate user pool, credentials and sessions

Dedicated server

Single-tenant AWS infrastructure for customers that require stronger separation than logical tenancy.

  • Your tenant on dedicated infrastructure
  • AWS-native at-rest encryption configurable at provisioning
  • Independent backup and restore cadence

Bring your own server

Deploy NexWave inside your own AWS account where that model is commercially and technically agreed.

  • Your AWS account, VPC and billing
  • KMS-managed encryption keys
  • Integration with your existing AWS controls and logging

NexWave application-layer security practices

NexWave-specific code and implementation changes are reviewed, tested and scanned through the standard release workflow before they reach customers.

Peer review

Feature branches and pull requests are used for product changes. Security-sensitive changes receive engineering review before release.

Automated testing

Automated tests run in CI for supported repositories, with manual QA added for higher-risk workflows and customer-facing changes.

Static analysis

Semgrep is used to scan application code for security-sensitive patterns, correctness issues and framework-specific risks.

Dependency checks

GitHub Dependabot, pip-audit and OSV-Scanner are used to identify vulnerable third-party packages and open-source dependency risk.

Secret and configuration scanning

Trivy scanning supports vulnerability, secret, misconfiguration and licence checks as part of the security reporting workflow.

Report artefacts

Security report artefacts can include JSON, SARIF, text, Markdown and HTML outputs, with findings triaged and tracked for remediation.

Application controls

NexWave gives tenant administrators practical controls for access, identity, session policy, auditability and integration governance.

Role-based access control

Permissions at the role, document and field level. Users see only the records and fields their role grants them.

Two-factor authentication

2FA and one-time password support are available and can be enforced for privileged roles.

Single sign-on

SSO is available through OAuth 2.0, OpenID Connect and LDAP for common identity-provider setups.

IP restrictions

Per-user IP allow-listing can restrict administrative accounts to your corporate network or VPN.

Password and session policy

Tenant administrators can configure password strength, expiry, session timeout and idle expiry policies.

Audit trail

Activity logs, route history, document timeline and version tracking support investigation and change review.

Encryption and backups

NexWave applies encryption controls where business data moves, where secrets are stored, and where stricter hosting tiers require customer-managed infrastructure controls.

In transit

Customer traffic is encrypted with TLS 1.2 or higher. Administrative server access uses key-based or certificate-based SSH rather than passwords.

Application secrets

User passwords are hashed. API keys, OAuth tokens and connector credentials are stored encrypted and decrypted only at point of use.

Storage layer options

Dedicated and bring-your-own-server tiers can be configured with AWS-native at-rest encryption and customer-managed keys where required.

Backups

Offsite backups are taken daily with multi-tier retention. Backup encryption can be enabled where a customer's security policy requires it.

Incident response and security testing

Security issues are triaged by severity and handled through the engineering and support workflow. For hosting-layer incidents, NexWave coordinates with the relevant infrastructure response teams and communicates with affected customers.

Customer-specific penetration testing, application-layer security review and contractual response targets can be scoped for organisations that require additional security review.

Customer notification process

For confirmed incidents affecting customer data, NexWave notifies affected customers through nominated contacts as soon as practical, using the information available at that point.

Post-incident reporting

Once an investigation closes, NexWave can provide a written report covering impact, remediation and corrective actions for affected customers.

Scoped tenant testing

Customer-initiated testing requires written agreement on scope, methodology and timing. NexWave can also help scope targeted application-layer testing.

Vulnerability Disclosure Policy

NexWave International welcomes responsible reports of security vulnerabilities affecting NexWave. Send vulnerability reports to [email protected].

Scope

This policy covers suspected vulnerabilities in NexWave-owned public web properties, NexWave-managed application endpoints, NexWave-specific code, and authorised customer tenants where the reporter is the tenant owner or has written permission from the tenant owner.

Third-party infrastructure, hosting-provider services, identity providers, payment providers, customer-managed networks, customer devices and integrations not operated by NexWave are outside this policy unless NexWave has separately confirmed written scope.

Security.txt

The machine-readable reporting channel for this policy is published at /.well-known/security.txt.

Email [email protected]

Permitted testing

  • Passive review of public pages, headers, metadata and publicly available assets.
  • Authenticated testing inside a tenant you own or are explicitly authorised to test.
  • Minimal proof-of-concept testing needed to show impact, using benign payloads and test data.
  • Stopping testing as soon as you confirm a vulnerability or encounter data that is not yours.

Out-of-scope testing

  • Denial-of-service, stress, load, spam, brute-force or credential-stuffing tests.
  • Social engineering, phishing, physical security testing, malware or persistence testing.
  • Accessing, changing, deleting, exporting or retaining data that does not belong to you.
  • Reports limited to scanner output, missing headers, self-XSS, clickjacking on non-sensitive pages or issues with no practical security impact.

Prohibited activity

Do not disrupt NexWave services, bypass rate limits at scale, attempt lateral movement, maintain access, exfiltrate secrets beyond the minimum proof needed, or test systems that are not clearly in scope. This policy does not authorise unlawful, destructive or privacy-invasive activity.

What to include

Send a concise report with:

  • Affected URL, endpoint, tenant type or product area.
  • Steps to reproduce, expected impact and severity rationale.
  • Safe evidence such as screenshots, logs or request samples with sensitive values redacted.
  • Your contact details and any planned disclosure timeline.

Response expectations

NexWave reviews reports during business operations. We aim to acknowledge credible reports in a reasonable business timeframe, validate impact, prioritise remediation by severity and keep the reporter updated when material progress occurs.

The [email protected] mailbox is not a 24/7 emergency hotline. If you are an existing customer with an active incident, use your agreed support channel as well.

Confidentiality and coordinated disclosure

Please keep vulnerability details confidential until NexWave has had a reasonable opportunity to investigate, mitigate and agree a coordinated disclosure plan. NexWave will not publicly identify a reporter without permission.

NexWave may share report details with relevant hosting providers, integration providers, advisers and affected customers where needed to investigate, remediate or meet legal and contractual obligations.

Bug bounty and CVE handling

NexWave does not operate a public bug bounty programme and does not offer rewards unless separately agreed in writing by NexWave International before testing begins.

Where a validated NexWave-specific vulnerability requires coordinated public disclosure, NexWave International will request CVE assignment through MITRE's CNA of Last Resort or another appropriate CVE Numbering Authority.

Shared responsibility

Security in practice is a joint effort. NexWave provides secure hosting options, platform controls and implementation guidance. Tenant administrators configure those controls to match their organisation's policy.

What NexWave provides

  • Hosted on provider infrastructure with SOC 2, ISO 27001 and ISO 9001 certifications
  • Logical or single-tenant hosting options
  • Application-layer review, testing and security scanning practices
  • RBAC, 2FA, SSO, IP restrictions, password policy and audit trail controls
  • Backup, incident response and customer notification processes

What you configure

  • User onboarding, offboarding and role assignment
  • 2FA, SSO, password and session policies
  • IP restrictions for privileged accounts
  • Third-party integrations enabled and credentials used
  • Internal data classification and access governance

Frequently asked questions

Short answers to the security questions that commonly appear in vendor reviews.

Does NexWave hold SOC 2 or ISO 27001 certification?
No. The hosting provider maintains SOC 2 Type II, ISO 27001:2022 and ISO 9001:2015 certifications for the relevant cloud and operating environment. NexWave does not currently hold separate SOC 2, ISO 27001 or ISO 9001 certification for NexWave-specific application code, integrations or customer-specific customisations.
What certification or testing coverage applies?
SOC 2, ISO 27001 and ISO 9001 apply at the hosting-provider layer. Customer-specific application-layer penetration testing can be scoped separately against your tenant with written agreement on timing, target and methodology.
How is NexWave-specific code reviewed?
NexWave-specific changes are reviewed, tested and scanned through the standard release workflow. The security reporting workflow includes Semgrep, Trivy, pip-audit and OSV-Scanner outputs that can be packaged for qualified reviews where appropriate.
Where is my data hosted?
NexWave runs on AWS-backed managed infrastructure. Your tenant is pinned to a chosen AWS region at provisioning. Most ANZ customers choose Sydney (ap-southeast-2).
Who can access my data inside NexWave?
Only users your administrators create and assign roles to. Access by NexWave support staff requires customer approval for the support context and is logged in the tenant audit trail.
Do you support single sign-on?
Yes. NexWave supports SSO through OAuth 2.0, OpenID Connect and LDAP, with configuration options for common identity providers.
Can we run our own penetration test?
Customer-initiated testing against a tenant requires advance written agreement on scope, methodology and timing. NexWave can also help scope a targeted application-layer penetration test.
Do you define security response targets?
Security findings are triaged by severity. Contractual response targets can be agreed for customers with specific security requirements, including CVSS-based severity bands where appropriate.
How do I report a vulnerability?
Email [email protected] with the affected URL or product area, reproduction steps, impact, safe evidence and your contact details. NexWave does not operate a public bug bounty programme unless separately agreed in writing.
What happens to my data if we leave?
On contract termination, tenant data is exported in machine-readable form and made available for an agreed period, after which it is securely deleted in line with the relevant agreement and retention policy.

Got a security questionnaire?

Download the Security Overview or get in touch. We can work through provider certifications, application-layer security practices, tenant configuration and scoped testing requirements with you.