NEXUS · DSP is Cyber Essentials certified by The IASME Consortium, NCSC partner. Every customer's data is row-level isolated at the database layer; every transport is TLS 1.3; every file is AES-256 at rest; every log is preserved for audit. Hosted in the EU on SOC 2-audited infrastructure. Coordinated disclosure welcomed at security@nexusdsp.ai.
This is the full technical account. Certification ID is published below. Any DSP's compliance team can verify it independently with IASME before proceeding.
VELLOX LTD is certified under the UK National Cyber Security Centre's Cyber Essentials scheme. The certificate was issued by The IASME Consortium Ltd, an NCSC Cyber Essentials Partner, on 13 April 2026, and is valid for twelve months. The scope is whole-organisation: every system, every endpoint, every member of staff is in scope.
The five controls covered by the scheme are: firewalls, secure configuration, user access control, malware protection, and security update management. Our assessment was carried out by Astrix Information Security Ltd against IASME Willow v15.1, the current live question set at the time of assessment.
Anyone can verify the certificate independently at the IASME registry. The verification link is in the badge above. No account needed.
All traffic between your browser and NEXUS is encrypted using TLS 1.3, falling back to 1.2 only where the client cannot negotiate 1.3. Older protocols are disabled at the edge. HSTS is enforced.
All data at rest is encrypted using AES-256 — the database, the file storage, the backups. This is handled at the infrastructure layer by Supabase and AWS and is non-negotiable: data cannot be written to disk unencrypted.
Passwords are never stored. They are hashed using Argon2id, the current OWASP-recommended algorithm, with parameters tuned to contemporary hardware.
NEXUS is multi-tenant: every DSP that uses the platform shares the same physical database. That is cheaper and faster than per-customer deployments. It is also the place where most multi-tenant SaaS platforms fail.
We enforce isolation at the database layer using PostgreSQL row-level security (RLS). Every table that holds customer data has RLS enabled. Every query is filtered by org_id at the database, not by application code that might have a bug. This is true for the platform, the driver application, and every background job.
Within an organisation, access is further scoped by station. A manager assigned to stations A and B cannot see data for station C, even if they are in the same DSP.
This architecture is verified by an automated test suite that runs on every commit to our main branch. A pull request that would break isolation cannot merge.
Every authentication page is protected by Cloudflare Turnstile. Automated sign-in attempts are rejected before they reach our servers. Human users are not shown a CAPTCHA; Turnstile runs invisibly.
Every authentication endpoint is rate-limited using Upstash Redis sliding-window counters. Repeated failed sign-in attempts from the same IP or against the same account are throttled progressively. After enough failures, the address is temporarily blocked at the edge.
Cloudflare's leaked-credentials detection blocks sign-in attempts that use passwords known to have appeared in public data breaches. Users whose passwords are compromised elsewhere cannot sign in until they reset.
Multi-factor authentication (TOTP) is available to all users and enforced for privileged roles. It works with any standard authenticator app — Google Authenticator, Microsoft Authenticator, 1Password, Authy, Bitwarden.
All new team members are added by invitation only. There is no public self-signup route that would let an outsider join an existing organisation.
Every layer of the stack is provided by an audited infrastructure partner:
All database and file storage is hosted in EU-West-1 (Republic of Ireland). All backups are also held in EU-West-1. No customer data is stored in the United States. Some edge services (Cloudflare network, Resend delivery) operate globally, but payloads at the edge are encrypted and transient.
Files uploaded to NEXUS — Amazon scorecards, concession reports, weekly CSVs — are never parsed in your browser. Parsing runs on the server, inside isolated Trigger.dev containers, with a strict timeout and resource budget.
Every upload is checked by magic-byte validation: the file is opened and its first few bytes are compared against the claimed file type. A file renamed from .html to .csv is rejected.
HTML reports from Amazon are sanitised before processing: scripts, iframes, event handlers, and data-URI references are stripped. The sanitiser runs before any layout engine is invoked.
Data exports are protected against spreadsheet-formula injection: any field that begins with =, +, -, or @ is prefixed with a single quote so Excel and Numbers will treat it as text.
File size limits are enforced at ten megabytes per file. Every parse route validates the Content-Type header and returns HTTP 415 on anything else.
Every action on the platform is logged — sign-ins, uploads, exports, settings changes, invitations, deletions. Each log entry records the actor, the action, the IP address, the user-agent, and a severity level (info, warning, critical).
Account administrators can browse the audit trail directly from the platform with filters by actor, action type, and severity. A filtered export is one click away.
Audit logs are retained for 36 months. Sentry error events are retained for 90 days. The retention schedule for every category of data we hold is published in our Data Retention Policy.
Database backups are taken continuously and retained for 7 days through Supabase Pro's Point-in-Time Recovery. In the event of a disaster, we can restore the database to any moment within that window — not just the last nightly snapshot.
All backups are encrypted at rest with AES-256 and stored in the same EU-West-1 region as the primary database. There is no cross-region replication to the US, UK, or any non-adequate jurisdiction.
Backups are not a retention extension: data deleted from the live database will naturally expire from backups within 7 days.
If you believe you have found a security vulnerability in NEXUS · DSP, please report it to security@nexusdsp.ai. We will acknowledge the report within one working day.
We ask that you give us reasonable time to investigate and fix before any public disclosure. In return, we will treat reports in good faith, thank you in release notes (with your consent), and not pursue legal action against good-faith researchers who comply with coordinated disclosure.
We do not currently run a paid bug-bounty programme but we expect to introduce one in the second half of 2026. Reports submitted now will be credited if and when that happens.
NEXUS · DSP is operated by VELLOX LTD, a private company registered in England and Wales under number 17136312. Registered office: Cranberrie Heights, Old Newport Road, Old St Mellons, Cardiff CF3 5FX.
VELLOX LTD is registered with the Information Commissioner's Office as a data controller under reference ZC115373 (Tier 1), valid to 2 April 2027. We have appointed a Data Protection Officer as required by UK GDPR Article 37.
We process personal data in accordance with the UK GDPR and the Data Protection Act 2018. Our handling of personal data is detailed in our Privacy Policy. Our cookie use is detailed in our Cookie Policy. Our retention practices are published in our Data Retention Policy.
NEXUS DSP™ is a UK trade mark of VELLOX LTD, registered in Classes 9 and 42.
For security vulnerabilities and coordinated disclosure: security@nexusdsp.ai
For data-protection and DPO enquiries: dpo@nexusdsp.ai
For general enquiries about this page: legal@nexusdsp.ai
VELLOX LTD, company number 17136312, registered in England and Wales. Registered office: Cranberrie Heights, Old Newport Road, Old St Mellons, Cardiff CF3 5FX. ICO registration: ZC115373.
See also — Privacy Policy · Terms of Service · Cookie Policy · Data Retention