Security¶
Encryption¶
- In transit: All API traffic is served over TLS 1.2+.
- At rest: Buckets configured with
encryption: aes-256(see Configuration) are encrypted at rest using AES-256.
Webhook signing¶
Every webhook delivery is signed with HMAC-SHA256 so you can verify it actually came from Nimbus — see Webhooks → Verifying signatures.
API key handling¶
- Keys are only ever displayed once, at creation time — see API Keys.
- Keys can be scoped to
live,test, orreadonly— see Authentication → Key types. - Rotating a key keeps the old one valid for 24 hours to avoid downtime.
Compliance¶
| Certification | Status |
|---|---|
| SOC 2 Type II | Certified |
| GDPR | Compliant |
| HIPAA | Not currently supported |
Reporting a vulnerability¶
Email security@nimbus.example.com with details. We acknowledge reports
within 24 hours and do not pursue legal action against good-faith
security research.
Do not file security issues publicly
Please report vulnerabilities privately rather than as a public GitHub issue or support ticket.