Trust & Security
Last reviewed: 8 May 2026
Nomads Community is built on enterprise-grade infrastructure. Tenant data is isolated via row-level-security policies enforced at the database, encrypted at rest with AES-256, and in transit with TLS 1.2+. We are investing on a 6 to 12 month roadmap toward formal SOC 2 Type II certification, with SSO, SCIM, MFA, and audit logging as the near-term milestones. We support enterprise clients today and adapt to specific compliance requirements (GDPR, ISO 27001, SOC 2) as they are requested.
What is in place today
Authentication
- Sign-in
- Passwordless magic-link by default; email + password supported
- Sessions
- HTTP-only, Secure, SameSite cookies; server-validated on every request
Encryption
- At rest
- AES-256 across the database (Supabase) and file storage (Cloudflare R2)
- In transit
- TLS 1.2+ on all client, server-to-database, and server-to-storage connections
Tenant isolation
- Database
- Row-level-security (RLS) policies on every tenant table
- Trust model
- Two-tier client architecture: user-scoped (RLS-respecting) for normal reads/writes; service-role only inside server actions after explicit role checks
- Audit trail
- Append-only audit log of sensitive actions (org/profile/KB/initiative changes); reads gated to platform admins
Access control
- Roles
- Platform: Super Admin · Admin · Member. Per-org: Client Lead · Team Lead · Member
- Document signing
- NDA + Frame Agreement enforced before member-area access; signed PDFs audited (IP, user agent, timestamp)
Operational
- Backups
- Supabase automatic daily backups; point-in-time recovery available
- Versioning
- Cloudflare R2 versioning available for file storage
- Vulnerability scanning
- Dependabot dependency scanning + manual review of major version bumps
- Network
- Vercel edge: DDoS protection, automatic HTTPS, geo-distributed CDN, BotID + WAF for bot mitigation
Application security
- OWASP Top 10
- Frameworks (Next.js, Supabase, React) handle XSS, CSRF, SQL injection by default
- Input validation
- All user input validated server-side via Zod schemas
- File uploads
- Type validation, size limits, content-type enforcement
- Secrets
- No client-side secrets — all sensitive operations on the server (Server Actions or API routes with server-only client)
Subprocessors
Nomads Community uses the following subprocessors to deliver the platform. Each is itself certified to the standards listed below; data processing agreements are available on request.
| Subprocessor | Purpose | Compliance |
|---|---|---|
| Supabase | Database, auth, storage | SOC 2 Type II, GDPR |
| Vercel | Hosting, edge compute | SOC 2 Type II, ISO 27001 |
| Cloudflare R2 | File and asset storage | SOC 2, ISO 27001, GDPR |
| Resend | Transactional email | SOC 2, GDPR |
| Anthropic / OpenAI | AI models, per-tenant scoped | SOC 2, GDPR |
| HubSpot | CRM sync | SOC 2 Type II, GDPR |
| Harvest | Time tracking | SOC 2, GDPR |
| Dropbox | Document sync | SOC 2 Type II, ISO 27001, GDPR |
| Slack | Team messaging | SOC 2 Type II, ISO 27001, GDPR |
| Sanity | CMS (changelog content) | SOC 2 Type II, GDPR |
Roadmap
We document the trajectory rather than overselling where we are. If your organisation has specific requirements ahead of these timelines, get in touch.
Phase 1 — Foundational
- MFA via Supabase TOTP
- Time-based one-time codes for all users
- Public Trust Center
- You are reading it — this page expands quarterly
- Audit log
- Append-only trail of sensitive actions
Phase 2 — Pre-enterprise-rollout
- SSO (SAML 2.0 / OIDC)
- Native integration with corporate IdPs
- SCIM 2.0 provisioning
- Auto-provision and deprovision tied to corporate IdPs
- Active session management
- View and revoke per-device sessions
- GDPR data export
- Self-serve per profile and per organisation
- SOC 2 Type II readiness
- 12-month observation window begins
- DPIA / GDPR documentation
- Customer-accessible documentation
Phase 3 — Enterprise-grade
- SOC 2 Type II audit
- Formal certification
- Annual third-party pen test
- Cure53 / Trail of Bits / NCC Group
- ISO 27001
- For EU-anchored enterprise clients
- Hardened CSP
- Nonce-based script policy
Contact
For security questions, vulnerability reports, or enterprise compliance discussions:
For data subject access requests, deletions, or other privacy enquiries: