Safety & Compliance

1. Security Practices

1.1 Encryption

• Data in transit: TLS 1.2+ on all connections.
• Data at rest: AES‑256 encryption for stored data.
• API keys: Application‑level encryption (AES‑256‑CBC via Laravel's Crypt facade) for all LLM provider API keys.

1.2 Access Controls

• Role‑based access control (RBAC) across the platform.
• MFA enforced for internal systems and administrative access.
• Principle of least privilege applied to all service accounts.

1.3 Logging & Monitoring

• Immutable audit logs for access, changes, and compliance events.
• Automated anomaly detection on infrastructure.
• Incident response procedures with defined escalation paths.

1.4 Secure Development

• Code reviews required for all changes.
• Dependency scanning and automated vulnerability detection.
• Security patching on a regular cadence.
• Staging environment isolation — no customer data in development.

2. Data Handling

2.1 No Training on Customer Data

We do not use Customer Content or chat messages to train internal models. Your data is used only to provide the service to you. Third‑party LLM Providers may have their own data handling policies — you are responsible for reviewing them.

2.2 Data Retention

• Primary account data deleted within 30 days of account closure.
• Backups containing deleted data purged within 90 days.
• Billing records retained for up to 7 years as required by Australian tax law.

2.3 Third‑Party Providers

We use reputable infrastructure and LLM providers, each bound by contractual safeguards:

3. Responsible AI

3.1 High‑Risk Use Restrictions

We prohibit the use of ChatNexus for medical, legal, or financial advice; life‑critical systems; surveillance; weapons; and deceptive or manipulative use. See our High‑Risk Use Policy for full details.

3.2 Human‑in‑the‑Loop (HITL)

We strongly recommend human‑in‑the‑loop review for:

• Customer‑facing agents handling important enquiries.
• Any agent producing consequential outputs (decisions, recommendations, actions).

3.3 Transparency Requirements

Customers deploying agents must:

• Disclose the use of ChatNexus and the relevant LLM provider in their privacy policy.
• Obtain End‑User consent for data collection through the agent.
• Maintain their own Privacy Policy covering the data their agent collects.

4. Incident Response

In the event of a security incident:

• Affected account holders will be notified by email within 72 hours of the incident being confirmed.
• Notifications will include: the nature of the incident, categories of data involved, likely consequences, and measures taken.
• Where the breach involves data processed on behalf of a customer (e.g. end‑user chat messages through an embedded widget), we will also notify the affected customer to support their own notification obligations.

5. Compliance Roadmap

We are actively working toward the following compliance milestones:

• SOC 2‑aligned controls: implementing organisational and technical controls aligned with the SOC 2 Trust Services Criteria.
• ISO 27001‑aligned processes: establishing information security management processes aligned with ISO 27001.
• Expanded audit logging: enhanced compliance event logging with long‑term retention.
• Optional regional data routing: the ability for customers to choose data residency regions for processing.

6. Related Policies

• Terms of Service
• Privacy Policy
• High‑Risk Use Policy
• Data Processing Agreement

7. Contact

For questions about our security practices or compliance, contact us: