Enterprise-grade
security, built in.
How NexWave protects your business data, end to end. Independently certified hosting, encrypted communication, granular permissions and a full audit trail of every action.
Certified Infrastructure
Independently audited hosting
Independently audited
NexWave runs on cloud infrastructure that holds the certifications most security teams look for. The reports below are issued by accredited third parties and refreshed on a published cycle.
SOC 2 Type II
Audit period 1 June 2024 to 31 May 2025. Covers the Security, Availability and Confidentiality Trust Services Criteria for the cloud hosting layer NexWave runs on.
ISO 27001:2022
Information Security Management System certified by ISOQAR. Covers the engineering, customer support and partnership functions that develop and operate the NexWave platform.
ISO 9001:2015
Quality Management System certification, supporting evidence of a documented management system, continuous improvement processes, and customer satisfaction practices.
GDPR Compliant
Data handling practices aligned with the EU General Data Protection Regulation, including data subject access, deletion and portability rights.
Detailed audit reports and certificates are available to qualified prospects and customers on request through your NexWave account team.
Powered by AWS
NexWave runs on Amazon Web Services, the world's most comprehensive and widely adopted cloud platform. Your tenant can be pinned to a specific AWS region at provisioning, including Sydney (ap-southeast-2) for ANZ data residency, with 12 other regions available globally.
The underlying infrastructure scales elastically based on load, so performance stays consistent through peak periods and resource use stays efficient through quieter ones. The hosting layer is operated by Frappe Technologies (SOC 2 Type II, ISO 27001:2022) on AWS, with active infrastructure monitoring at the platform layer.
Elastic Scaling
Capacity expands and contracts with demand. No fixed-size servers, no scaling work for the customer.
Regional Hosting
Choose your AWS region at provisioning. Sydney for ANZ; 12 other regions worldwide.
Your data, isolated
Tenants are logically separated at every layer of the stack. For customers with stricter requirements, single-tenant infrastructure is also available.
Standard Tier
Logical isolation per tenant on shared infrastructure. The default for most customers.
- •Dedicated database per tenant
- •Dedicated file storage per tenant
- •Separate user pool, credentials and session store
- •No cross-tenant data access path
Dedicated Server
Single-tenant AWS instance. No infrastructure shared with other customers.
- •Your tenant on its own AWS instance
- •AWS-native at-rest encryption configurable at provisioning
- •Independent backup and restore cadence
Bring Your Own Server
Run NexWave inside your own AWS account. Full control of the underlying infrastructure.
- •Your AWS account, your VPC, your billing
- •EBS and RDS encryption with KMS-managed keys
- •Direct integration with your existing AWS controls and logging
Encryption everywhere your data moves
NexWave applies industry-standard encryption to every layer where your business data is stored, transmitted or shared. Cryptographic operations use vetted algorithms and managed keys, with the option to step up to customer-managed keys on the dedicated and BYOS tiers.
In transit
All customer traffic is encrypted with TLS 1.2 or higher. Administrative access to underlying servers uses certificate-based SSH; passwords are not accepted.
Secrets at rest
User passwords are hashed with modern algorithms. Application secrets, API keys, OAuth tokens and third-party connector credentials are stored encrypted, never returned through APIs, and decrypted only at point of use.
Storage layer (dedicated and BYOS)
On the dedicated server and BYOS tiers, AWS-native at-rest encryption (EBS and RDS encryption with KMS-managed keys) can be configured at provisioning. Customer-managed keys are supported.
Backups
Offsite backups are taken daily with multi-tier retention (daily, weekly, monthly, yearly). Backup encryption (AES with HMAC) is configurable and is enabled for customers whose security policy requires it.
Secure Development Lifecycle
Security is a checked control at every stage of the build pipeline, not an afterthought before release.
Peer code review
Every change is reviewed by a second engineer before it can merge. No solo merges to release branches.
AI-assisted security review
An AI reviewer runs alongside every pull request, flagging injection risks, broken access checks, secret leakage and unsafe deserialisation patterns before the human reviewer sees them.
Static analysis (SAST)
Semgrep runs in CI on every pull request with our platform's security rulesets and language-correctness checks. Findings are triaged before merge; intentional exceptions are reviewed and documented.
Dependency vulnerability scanning
GitHub Dependabot continuously alerts on vulnerable third-party packages across every repository. pip-audit complements this in CI for our Python dependency tree.
CI test gating
Unit and integration tests run on every pull request. Changes do not merge until all automated tests pass.
Manual QA
Higher-risk changes go through a dedicated QA pass in addition to developer testing, exercising the same flows a customer would.
Open core. Many eyes on the code.
NexWave is built on a fully open-source ERP core, hardened across many years and many customers worldwide. Tens of thousands of developers actively read, review and contribute to the codebase. From a security standpoint, that is a substantive control, not just a marketing line.
-
Continuous external review: vulnerabilities are reported through a public security-advisory process and patched in the open. Researchers worldwide examine the code without needing an NDA.
-
Independent code audit: your IT or risk team can inspect the underlying code directly. No black-box dependencies; no surprise behaviour locked behind proprietary binaries.
-
No vendor lock-in: if your circumstances change, your data and the platform itself remain portable. The code is yours to inspect, archive and run.
-
Rapid response: advisories from upstream are tracked and patched in customer instances on the upstream cadence, not on a multi-month vendor release cycle.
Application security controls
Security primitives are built into the platform itself. Every NexWave deployment ships with these available out of the box; tenant administrators configure them to match their policy.
Role-based access control
Permissions at the role, document and field level. Users see only the records and fields their role grants them.
Two-factor authentication
2FA and one-time passwords are built in. Enforceable at the role level, including required-for-privileged-roles policies.
IP-based access restriction
Per-user IP allow-listing, useful for restricting administrative accounts to your corporate network or VPN.
Password policies
Configurable minimum length, complexity, history and expiry. Passwords are hashed with modern algorithms.
Session management
Configurable session timeout and idle expiry. Active sessions can be viewed and revoked per user.
API rate limiting
Uniform rate limiting across all platform endpoints, including any customer-specific endpoints added during implementation.
Full audit trail
Every meaningful action in NexWave is recorded with the user, the change and the timestamp. Investigation, dispute resolution and forensic reconstruction work on real data, not best guesses.
Activity log
Significant user actions are recorded with the user, timestamp and outcome. Includes logins, document operations and key configuration changes.
Route history
Navigation events are captured per user, supporting reconstruction of what a user accessed within the application.
Document timeline
Every business-critical record (sales orders, invoices, stock movements, payments and more) carries a timeline of every change, with the user who made it and when.
Document version tracking
Prior versions of records are retained, allowing reconstruction of the full change history if needed.
Incident response & breach notification
Our cloud infrastructure provider operates a documented incident response programme as part of its ISO 27001 and SOC 2 controls, with detection, triage, containment, customer notification and post-incident review built in.
For incidents affecting customer data on a NexWave tenant, we coordinate with the infrastructure response team and notify our customers directly with what we know and what we are doing about it.
72-hour notification commitment
In the event of a confirmed breach affecting your data, we notify the nominated security contacts without undue delay, and in any event within 72 hours of becoming aware. The notification includes the information available at that point, even if the investigation is still in progress.
Post-incident report
Once the investigation closes, we share a written post-incident report covering what happened, impact assessment, remediation steps and corrective actions.
Independent third-party VAPT
The cloud platform NexWave runs on is subject to periodic third-party penetration testing (VAPT), with executive summaries available to customers under NDA. Additional application-layer testing can be scoped against your specific tenant if required.
Frequently asked questions
The shorthand answers to the questions that turn up in most security questionnaires.
Where is my data hosted?
Who can access my data inside NexWave?
Can I get a copy of your SOC 2 Type II report?
Do you support single sign-on (SSO)?
Can we run our own penetration test against our tenant?
What happens to my data if we leave?
How are subprocessors managed?
Got a security questionnaire?
We have answered most of them. Download our Security Overview or get in touch directly; we will work through your questions with you.