Security

We build security into our systems, processes, and culture. We understand you are trusting us with your data and we take the responsibility of securing it extremely seriously. We take reasonable steps to ensure the reliability of our employees or other personnel having access to sensitive data, including the conducting of appropriate background and/or verification checks.

Infrastructure

System architecture

Nectar’s architecture is designed to be secure and reliable. We use an n-tier architecture with firewalls and additionally within certain tiers between services. Services are accessible only by other services that require access. Access keys are rotated regularly and stored separately from our code and data.

Data Centers

Our application is hosted and managed within Google Cloud Platform (GCP) secure data centers. These data centers have been accredited under:

  • ISO 9001:2015
  • ISO/IEC 27001
  • ISO/IEC 27017
  • ISO/IEC 27018
  • ISO/IEC 27110
  • ISO/IEC 27701
  • SOC 1
  • SOC 2
  • SOC 3


We make extensive use of the capabilities and services provided by GCP to increase privacy and control network access throughout our system. Documents that provide more details about GCP security are available at Google Security Whitepaper.

Data storage

Nectar data stores are accessible only by servers that require access. Access keys are stored separately from our source code repository and only available to the systems that require them.

Backups

We maintain secure encrypted backups of important data for one year. We do not retroactively remove deleted data from backups as we may need to restore it, if removed accidentally. Backup data is fully expunged after one month.

Corporate network

Nectar runs a zero-trust corporate network. There are no corporate resources or additional privileges from being on Nectar’s corporate network.

Safeguards

Vulnerability scans and pentesting

Nectar uses security tools to regularly scan for vulnerabilities. Additionally, vulnerabilities in third-party libraries and tools are monitored and software is patched or updated promptly when new issues are reported.

The system regularly undergoes third-party security reviews and penetration testing to identify potential vulnerabilities and ensure that they are addressed.

Firewall

Our servers are protected by firewalls and not directly exposed to the Internet.

Logs

We aggregate logs to secure encrypted storage. All sensitive information (including passwords, API keys, and security questions) is filtered from our server logs. Log data is fully expunged after 60 days.

Security Training and Confidentiality

Nectar has mandatory, regular security training programs for all Nectar employees. Nectar also has all employees sign confidentiality agreements.

HTTPS

All Nectar web traffic is served over HTTPS. We force HTTPS for all web resources, including our REST API, web app, and public website. We also use HSTS to ensure that browsers communicate with our services using HTTPS exclusively.

Encryption

Our primary databases, including backups, are fully encrypted at rest. Our archives and logs are also fully encrypted at rest. We use industry standard encryption algorithms with a minimum strength of AES-256.

Authentication and Privacy

Passwords

Passwords are never stored in a form that can be retrieved. Instead, we store an irreversible cryptographic hash using a function specifically designed for this purpose. Authentication sessions are invalidated when users change key information and sessions automatically expire after a period of inactivity.

Secure single sign on

Nectar is enabled for several secure single sign on (SSO) standards, including SAML, PingIdentity, OpenID, Azure etc.

User roles

We provide multiple user roles with different permissions levels within the product. Roles vary from account admins to users. In critical systems we practice principle of least privilege.

Reliability and Compliance

Policies

Nectar has developed a comprehensive set of security policies that cover a range of topics. These policies are updated regularly and shared with our employees. Please see our Privacy Policy to learn more.

SOC 2

Nectar is currently in the process of becoming SOC 2, Type 2 certified. Our staff and product are going through rigorous security screening to ensure the security and confidentiality of user data.

GDPR

We follow the EU’s General Data Protection Regulation (GDPR).

PCI compliance

All credit card payments paid to Nectar go through Stripe, our payment processing partner. Details about their security posture and PCI compliance can be found at Stripe’s Security page.

Failout and disaster recovery

Nectar is built with fault tolerance capability. Each of our services is fully redundant with replication and failover. Services are distributed across multiple AWS availability zones. These zones are hosted in physically separate data centers, protecting services against single data center failures.

Incident response

Nectar maintains an incident response plan that includes procedures to be followed in the event of an unauthorized disclosure of data or other security incident.

Disclosure

If you have any concerns or discover a security issue, please email us at [email protected] and we will quickly investigate. We request that you do not publicly disclose any issue you discovered until after we have addressed it.