Security & Compliance
Factual information about how Nectis protects your data. This page is written for procurement officers, IT security teams, and data protection officers.
Data Protection
GDPR compliant
Nectis processes personal data in accordance with the UK GDPR and the Data Protection Act 2018. We act as a data processor on behalf of the organisations that licence the platform.
UK/EU data residency
All application servers, databases, and caches are hosted in EU regions (Netherlands). No personal data is transferred outside the UK/EEA for processing or storage.
Encryption in transit and at rest
All connections use TLS 1.2 or higher. Database storage is encrypted at rest. Sensitive credentials (OAuth tokens) use application-level encryption via Rails 7 ActiveRecord Encryption.
Data Processing Agreement
A Data Processing Agreement (DPA) is available on request for all licenced organisations. Contact [email protected] to request a copy.
Sub-processors
The following third-party services process data on behalf of Nectis:
| Service | Purpose | Location |
|---|---|---|
| Railway | Application and database hosting | EU (Netherlands) |
| Cloudflare | CDN, DDoS protection, DNS | Global (nearest edge) |
| Brevo | Transactional email delivery | EU (France) |
| Redis | Session and cache storage | EU (Netherlands) |
Infrastructure
Hosting
Railway cloud infrastructure, EU region (Netherlands). Containerised application with automated deployments.
Database
PostgreSQL 16 with encryption at rest. Separate statistics database for analytics workloads.
CDN & DDoS Protection
Cloudflare provides edge caching, DDoS mitigation, and TLS termination. Always HTTPS enforced. Minimum TLS 1.2.
Backups
Database backups managed by Railway infrastructure. Data stored in EU region.
Uptime
99.9% uptime target. Monitored by UptimeRobot with 5-minute HTTP health checks. Status page available at status page.
Caching
Redis 7 for session storage and application caching. Password-protected, hosted in the same EU region as the application.
Access Control
Role-based permissions
Access is scoped by role. Users can only see data relevant to their position within the organisation hierarchy.
| Role | Data access |
|---|---|
| Individual | Own data, own assessments, own network maps |
| Manager | Project-level data across assigned projects |
| Fund Manager | Read-only portfolio view across funded projects |
| Administrator | Organisation-wide configuration and user management |
Authentication
- • Session-based authentication via Devise (industry-standard Rails authentication)
- • Cloudflare Turnstile challenge on login and registration to prevent automated attacks
- • CSRF protection on all form submissions
- • Passwords hashed using bcrypt
OAuth integrations
Optional Slack and Microsoft integrations request only the minimum permissions required (read-only access to contact data for network import). OAuth tokens are encrypted at the application level and can be revoked at any time by the user.
Application Security
- • Automated security scanning with Brakeman (static analysis) on every deployment
- • Content Security Policy headers to prevent XSS and code injection
- • Pundit authorization framework with default-deny policies on all resources
- • Database query timeouts (30s statement, 5s lock) to prevent denial-of-service via slow queries
- • Dependency vulnerability scanning via automated CI checks
Policies
Privacy Policy
How we collect, use, and protect personal data.
Terms & Conditions
Platform usage terms, licensing, and service level commitments.
Responsible Disclosure
If you discover a security vulnerability, please report it responsibly to [email protected]. We will acknowledge receipt within 48 hours and aim to resolve confirmed vulnerabilities promptly.
Company Details
Legal entity: Nectis Ltd
Company number: SC621729 (Scotland)
Registered address: 10 Colinton Rd, Edinburgh EH10 5DT, Scotland
Data protection contact: [email protected]
Questions about security?
We are happy to provide additional documentation, complete security questionnaires, or arrange a call with our technical team.
Email [email protected]