Security at
every layer.
NexWave combines AWS-backed hosting, provider SOC 2, ISO 27001 and ISO 9001 certifications, and application-layer security practices for NexWave-specific code, integrations and customer configuration.
Security practices, clearly scoped
We separate hosting-provider certifications, NexWave application-layer security practices and customer tenant configuration so each responsibility is clear.
1. Hosting provider layer
NexWave customer instances run on AWS-backed managed infrastructure. The hosting provider maintains SOC 2, ISO 27001 and ISO 9001 certifications for the relevant operating environment.
2. NexWave application layer
NexWave-specific code, integrations and implementation changes are covered by review, test, scanning and triage practices separate from the hosting provider's certifications.
3. Customer tenant policy
Tenant administrators control users, roles, identity settings, integration choices and internal governance. NexWave provides the controls and onboarding guidance.
Hosting-provider certifications
NexWave runs on AWS-backed managed hosting infrastructure. The hosting provider maintains SOC 2 Type II, ISO 27001:2022 and ISO 9001:2015 certifications for the relevant cloud and operating environment.
These certifications apply to the provider's environment. They do not certify NexWave-specific application code, integrations or customer-specific customisations.
Provider SOC 2 Type II
Applies to the provider's audited hosting or cloud operating environment, subject to the scope of the provider certification.
Provider ISO 27001:2022 and ISO 9001:2015
Applies to the provider's information security and quality management controls, subject to the scope of each provider certification.
NexWave application layer
NexWave does not currently hold separate SOC 2, ISO 27001 or ISO 9001 certification for the NexWave product company, application code or customisations.
Regional hosting and tenant isolation
NexWave runs on Amazon Web Services. Your tenant can be pinned to a chosen AWS region at provisioning, including Sydney (ap-southeast-2) for ANZ data residency.
Standard deployments use logical tenant isolation. For organisations with stricter requirements, dedicated infrastructure and bring-your-own-server options can be scoped.
Data residency
Choose the AWS region at provisioning, with Sydney available for most New Zealand and Australian customers.
Elastic infrastructure
The hosting layer can scale resources as usage changes, reducing the need for customer-side infrastructure management.
Standard tier
Logical isolation per tenant on shared managed infrastructure. The default for most customers.
- •Dedicated database per tenant
- •Dedicated file storage per tenant
- •Separate user pool, credentials and sessions
Dedicated server
Single-tenant AWS infrastructure for customers that require stronger separation than logical tenancy.
- •Your tenant on dedicated infrastructure
- •AWS-native at-rest encryption configurable at provisioning
- •Independent backup and restore cadence
Bring your own server
Deploy NexWave inside your own AWS account where that model is commercially and technically agreed.
- •Your AWS account, VPC and billing
- •KMS-managed encryption keys
- •Integration with your existing AWS controls and logging
NexWave application-layer security practices
NexWave-specific code and implementation changes are reviewed, tested and scanned through the standard release workflow before they reach customers.
Peer review
Feature branches and pull requests are used for product changes. Security-sensitive changes receive engineering review before release.
Automated testing
Automated tests run in CI for supported repositories, with manual QA added for higher-risk workflows and customer-facing changes.
Static analysis
Semgrep is used to scan application code for security-sensitive patterns, correctness issues and framework-specific risks.
Dependency checks
GitHub Dependabot, pip-audit and OSV-Scanner are used to identify vulnerable third-party packages and open-source dependency risk.
Secret and configuration scanning
Trivy scanning supports vulnerability, secret, misconfiguration and licence checks as part of the security reporting workflow.
Report artefacts
Security report artefacts can include JSON, SARIF, text, Markdown and HTML outputs, with findings triaged and tracked for remediation.
Application controls
NexWave gives tenant administrators practical controls for access, identity, session policy, auditability and integration governance.
Role-based access control
Permissions at the role, document and field level. Users see only the records and fields their role grants them.
Two-factor authentication
2FA and one-time password support are available and can be enforced for privileged roles.
Single sign-on
SSO is available through OAuth 2.0, OpenID Connect and LDAP for common identity-provider setups.
IP restrictions
Per-user IP allow-listing can restrict administrative accounts to your corporate network or VPN.
Password and session policy
Tenant administrators can configure password strength, expiry, session timeout and idle expiry policies.
Audit trail
Activity logs, route history, document timeline and version tracking support investigation and change review.
Encryption and backups
NexWave applies encryption controls where business data moves, where secrets are stored, and where stricter hosting tiers require customer-managed infrastructure controls.
In transit
Customer traffic is encrypted with TLS 1.2 or higher. Administrative server access uses key-based or certificate-based SSH rather than passwords.
Application secrets
User passwords are hashed. API keys, OAuth tokens and connector credentials are stored encrypted and decrypted only at point of use.
Storage layer options
Dedicated and bring-your-own-server tiers can be configured with AWS-native at-rest encryption and customer-managed keys where required.
Backups
Offsite backups are taken daily with multi-tier retention. Backup encryption can be enabled where a customer's security policy requires it.
Incident response and security testing
Security issues are triaged by severity and handled through the engineering and support workflow. For hosting-layer incidents, NexWave coordinates with the relevant infrastructure response teams and communicates with affected customers.
Customer-specific penetration testing, application-layer security review and contractual response targets can be scoped for organisations that require additional security review.
Customer notification process
For confirmed incidents affecting customer data, NexWave notifies affected customers through nominated contacts as soon as practical, using the information available at that point.
Post-incident reporting
Once an investigation closes, NexWave can provide a written report covering impact, remediation and corrective actions for affected customers.
Scoped tenant testing
Customer-initiated testing requires written agreement on scope, methodology and timing. NexWave can also help scope targeted application-layer testing.
Frequently asked questions
Short answers to the security questions that commonly appear in vendor reviews.
Does NexWave hold SOC 2 or ISO 27001 certification?
What certification or testing coverage applies?
How is NexWave-specific code reviewed?
Where is my data hosted?
Who can access my data inside NexWave?
Do you support single sign-on?
Can we run our own penetration test?
Do you define security response targets?
What happens to my data if we leave?
Got a security questionnaire?
Download the Security Overview or get in touch. We can work through provider certifications, application-layer security practices, tenant configuration and scoped testing requirements with you.