Security and Compliance
Learn about the Security and Compliance of the Nexus Platform
Frequently Asked Questions
Will there be any Personally Identifiable Information (PII) or sensitive data stored on the system?
All sensitive data, including PII, is handled in accordance to GDPR. The Hexagon MI Privacy Notice is published at https://hexagon.com/legal/mi-privacy-notice.
Which vendors does Nexus use for cloud storage? What regions or locations are supported by Nexus?
Nexus is currently deployed in Microsoft Azure and is globally available with regional support. The Nexus roadmap includes deployment into other Cloud providers and will be multi-cloud.
What backend storage technologies does Nexus use?
Nexus uses Azure CosmosDB for MongoDB and ElasticSearch, among others. Nexus can support a large number of additional data sources.
What Identity and Access Management (IAM) does Nexus use?
Nexus enforces Role-based Access Control (RBAC).
What security standards does Nexus meet?
Nexus has compliance to ISO27001 & TISAX. Microsoft Azure is also ISO27001, SOC-2, and FedRAMP compliant.
Does Nexus include Business Continuity and Disaster Recovery Plans?
Yes. Business Continuity and Disaster Recovery Plans are in place and approved by the key stakeholders.
How does Nexus fit with other related architectures and products such as model driven architecture, event driven architecture, complex event processing, business rule process, and business process management?
Nexus Architecture is a model-driven architecture with support for distributed data services, event-driven services, and workflow-driven services.
For the application environment, is your design comprised of multi-tier/layer security architecture segmentation (e.g. Web/Presentation, Application/Logic, Database/Data etc.)?
Nexus is a multi-tier architecture protected with best practice architecture and controls.
How does Nexus ensure protection against viruses?
Nexus uses state-of-the-art continuous malware scanning, real-time intrusion and malware detection, and container scanning.
How is system auditing implemented in Nexus? Is this server side or client side?
All system auditing is managed on the cloud. System Events and Application Events are logged to persisted storage and are only accessible to users with the proper security role.
How does Nexus handle evaluation of third-party applications?
Nexus adopts a Secure Software Development Lifecycle (SDLC) model. As a part of that, we conduct Security Testing SAST/SCA/DAST.
Are your systems subjected to penetration testing? Is testing performed by internal personnel or outsourced? When was the last penetration test?
Application Penetration Testing is done by a 3rd party as per our security policy.
Are you using an Industry standard message canonical model?
Nexus supports many different canonical models.
What kind of experience do you have in managing threat detection and traffic management as part of using an API gateway?
Nexus uses a layered security approach to provide 24x7 monitoring by our SOC.
As part of inbound API integrations to your solution, how are you protecting the exposed services against threat protection?
All endpoints are authenticated by OAuth2.0 and require a Nexus SSO token. There are no anonymous endpoints.
How are you governing the APIs?
All APIs will pass through an Application Gateway to enforce minimum requirements (such as rate-limiting and quota management), as well as logging and analytics of API metrics.
What is the run-time framework for the application?
Nexus is built on containerized services that are stateless. The persistent storage is decentralized and geo-replicated.
Does the staff assigned with responsibilities for carrying out tasks identified in the Business Continuity and IT Disaster Recovery plans receive appropriate training?
Nexus employees are trained annually on Business Continuity and Disaster Recovery policy and procedures.
For the application environment, when the application receives external files or bulk data import [e.g. SFTP] from an outside customer, is it scanned for malware with anti-virus/anti-malware software solutions before allowing it into the application environment?
Yes, all external files that are imported into Nexus are scanned for malware.
For the application environment, is vulnerability scanning done on golden system baseline images, and if vulnerabilities are identified, are they remediated prior to its use?
Yes, all code is scanned on every build pipeline at check-in time and is required to pass before it can be deployed.
For applications developed in a third-party's environment, do third-parties have documented procedures for responding to actual and potential security events (e.g. exposure, breach or theft of customer Information or systems which process or store customer information)?
Nexus has an incident response team and a Security Operation Center monitoring the application environment 24/7. Nexus' hosting partner is SOC Type 2 certified and meets these requirements.
For applications developed in a third-party's environment, do you request or have in plan to request proof of vulnerability scans and penetration tests of third-party information systems which contain customer information periodically?
Yes, all third-party developers will be required to show proof of vulnerability scans and penetration tests.
For the application environment, do incident response plans exist to ensure timely alert responsible personnel of suspected compromises for taking appropriate actions as necessary?
Yes, Nexus has an incident response team and a Security Operation Center monitoring the application environment 24/7.
How do you protect your systems against vulnerabilities and threats?
Vulnerability scans are performed during build time and are continuously run on the deployed environments.
How do I know my data is protected against physical and environmental threats?
Nexus uses cloud providers that adhere to strict guidelines for physical and environment integrity. Hexagon restricts all access to data, requiring multi-factor authentication and privileged identity management access to request escalation of privilege. All data access is logged and audited regularly.
Do you have separate administrative/privilege accounts and user accounts?
Yes, Nexus uses a role-based approach to access.
© 2024 Hexagon AB and/or its subsidiaries