Minimise what we hold
The safest data is the data you never collect. Nexion is built so that identity lives in the wallet, your systems hold policy outcomes and receipts, and our systems keep only what's required to operate the service.
Security & Trust
Security & Trust
Nexion sits on the critical path for regulated access—across consumer, fintech, and crypto products. We design and operate it like core infrastructure, with privacy and security built in from day one.
For data-flow diagrams and standards, see Privacy & Architecture; for regulatory framing and policy receipts, see Compliance.
Core Principles
Our security principles
Separate concerns by design
We split responsibilities across wallet, verifier, and Nexion so that no single actor can reconstruct the full picture of who a user is, where they went, and what they accessed.
Defence in depth
Encryption, access controls, secure SDLC, monitoring, and audits work together. We assume controls can fail and design overlapping protections around data and keys.
Transparency with your team
We expect scrutiny. We provide documentation, answer security questionnaires, and give your security team the information they need to evaluate Nexion as a critical dependency.
Architecture
Product and data model
The core security decision in Nexion is architectural: keep identity in a wallet users control, and make the verifier's world about policies, Pass/Fail outcomes, and receipts, not raw documents.
Wallet holds identity
- Government ID details and biometrics are processed during issuance and stored in the user's wallet.
- Wallets store verifiable credentials such as "over 18", "resident of country X", or "passed onboarding policy Y".
- During checks, only the attributes needed to evaluate the policy are used; full documents do not leave the device.
Your systems see decisions
- You define policies (for example, age, residency, eligibility, product-specific rules).
- For each request, you receive a Pass/Fail outcome plus a signed policy receipt suitable for your logs.
- Your logs stay focused on decisions and receipts, not a central archive of ID images.
For a deeper look at what data lives where, see What data lives where
Security Controls
Application & infrastructure security
Nexion is built and operated with standard security controls you would expect from a verification and compliance dependency.
Access control & authentication
- •Least-privilege access for internal systems and production data.
- •Strong authentication for administrative access, including multi-factor requirements.
- •Role-based access controls and approvals for sensitive operations.
Encryption & key management
- •Encryption in transit using modern TLS for all external and internal connections.
- •Encryption at rest for databases, storage, and backups.
- •Separation of keys used for issuing credentials, verifying presentations, and signing policy receipts.
Secure development lifecycle
- •Code review and change management for all production changes.
- •Static and dynamic analysis, dependency scanning, and patch management.
- •Configuration-as-code and repeatable environments to reduce drift and misconfiguration.
Environment isolation & monitoring
- •Separation of development, staging, and production environments.
- •Centralised logging and alerting around authentication, authorisation, and key operations.
- •Controls around access to logs containing policy receipts and operational telemetry.
Attestations
Compliance & governance
We treat attestations and governance as an ongoing program, not a one-time checkbox.
SOC 2 Type I
- SOC 2 Type I is in progress with external assessors.
- Once the report is available, we can share details under NDA with qualified customers and prospects.
- Controls in scope focus on security, availability, and confidentiality.
Policies and oversight
- Documented security, access, and incident response policies.
- Vendor due diligence and ongoing monitoring for critical third parties (for example, eKYC providers).
- Regular internal reviews of access, configuration, and audit logs.
Need specifics for a security review or questionnaire? Talk to us and we can provide details appropriate to your evaluation process.
Privacy
Data protection & privacy
Nexion's privacy posture starts from the product architecture and continues through how we handle the data we do see.
Minimisation & retention
- Identity attributes and documents live in the wallet; we avoid centralising them at Nexion.
- Operational and configuration data is limited to what's required to run the service.
- Retention and deletion practices align with contractual and regulatory requirements.
Data subject rights & DPAs
- We support data subject rights workflows where applicable, in cooperation with our customers.
- Data Processing Agreements (DPAs) and security addenda are available for eligible customers.
- Our model is designed to make your own GDPR and privacy impact assessments easier to reason about.
For how these principles translate into concrete data flows, see the Privacy & Architecture page.
Reliability
Availability & resilience
Because Nexion sits in front of sensitive and revenue-critical flows, uptime and graceful failure modes are part of the trust model.
Reliability practices
- Health checks and monitoring for core services and dependencies.
- Capacity planning and load testing around expected verification traffic.
- Backups and tested restoration procedures for critical configuration and key material.
Status & communication
- Public status page at /status for real-time service visibility.
- Incident communications focused on clear impact description and mitigation steps.
- Post-incident reviews with corrective actions folded back into engineering and operations.
Incident Management
Incident response
Despite preventive controls, we plan for the possibility of security or availability incidents and practise how we respond.
- Documented runbooks for security, availability, and integrity incidents.
- Centralised logging to support rapid investigation and scoping.
- Clear internal escalation paths, ownership, and communication channels.
- Customer notification obligations honoured based on contracts and applicable law.
Security Research
Responsible disclosure
We welcome reports from security researchers and customers who help us keep Nexion safe.
- Security contact details and PGP information are published at
/.well-known/security.txt. - We ask researchers to avoid actions that could impact availability or compromise user data.
- Where appropriate, we provide acknowledgement for valid, responsibly disclosed reports.
If you're unsure whether something qualifies as a security issue, you can still reach out via the security contact—we'd rather hear from you than miss an important signal.
Common Questions
Security & trust FAQ
Do you store ID documents or biometric data?
Nexion's model is designed so that identity documents and biometrics live in the user's wallet, not in a central store at Nexion. We process some information during issuance via trusted providers, but long-lived storage of IDs and biometrics is avoided by design. Your systems receive policy decisions and receipts, not copies of user documents.
What standards and attestations do you support?
Our architecture is aligned with wallet-based models such as EUDI, and we use standards like W3C Verifiable Credentials and OID4VP for proofs. From an internal-controls perspective, SOC 2 Type I is in progress with external assessors. As our program evolves, we will make additional attestations available to qualified customers under NDA.
Can we review your security posture as part of vendor due diligence?
Yes. We expect security and risk review as part of onboarding. We can provide high-level architecture documentation, responses to security questionnaires, and—for eligible customers—reports and addenda under NDA.
How does Nexion impact our own compliance obligations?
Nexion is not a substitute for your own compliance program, but it is designed to make enforcement and evidence easier. Policy receipts give you a clear record of what you checked and when, while the wallet model reduces how much identity data you directly control. Your legal and compliance teams remain responsible for interpreting and meeting your obligations.
Have a question that isn't covered here?
Contact Sales