Skip to content

Security

Encryption

  • In transit: All API traffic is served over TLS 1.2+.
  • At rest: Buckets configured with encryption: aes-256 (see Configuration) are encrypted at rest using AES-256.

Webhook signing

Every webhook delivery is signed with HMAC-SHA256 so you can verify it actually came from Nimbus — see Webhooks → Verifying signatures.

API key handling

  • Keys are only ever displayed once, at creation time — see API Keys.
  • Keys can be scoped to live, test, or readonly — see Authentication → Key types.
  • Rotating a key keeps the old one valid for 24 hours to avoid downtime.

Compliance

Certification Status
SOC 2 Type II Certified
GDPR Compliant
HIPAA Not currently supported

Reporting a vulnerability

Email security@nimbus.example.com with details. We acknowledge reports within 24 hours and do not pursue legal action against good-faith security research.

Do not file security issues publicly

Please report vulnerabilities privately rather than as a public GitHub issue or support ticket.