Nemau Cloud
Security & Compliance

Security & Compliance

The current baseline covers strong authentication, audit trails, API keys, network separation, and a clearly stated compliance roadmap.

Discuss Security RequirementsView Availability & SLA

Defense in Depth

Controls that are visible in the product and technical documentation, from user accounts to network resources

Hosting baseline

Hosting operated in France, with infrastructure details shared when needed in commercial or contractual discussions

  • Operations and access are controlled
  • Site-level details are shared on request
  • Infrastructure supervision
  • Physical separation of equipment
  • Controlled visitor access
  • Power and network redundancy

Network Security

Networks, subnets, routers, ports, security groups, and floating IPs are part of the current platform scope

  • Project-level isolated networks
  • Stateful L3/L4 security groups
  • Private networks without public exposure by default
  • Routers, ports, and floating IPs managed from the console
  • Controlled exposure through load balancers when needed

Secrets & traffic

Protection of authentication secrets, session flows, and HTTPS exchanges

  • TOTP secrets are encrypted at rest when the dedicated key is configured
  • Platform and API access runs through HTTPS/TLS
  • Object flows follow Swift/OpenStack controls
  • Keys are platform-managed today
  • Advanced secret management remains project-specific architecture work
  • Snapshots and backups depend on the service in use

IAM & Access Control

Accounts, MFA, policies, and audit trails are visible in the current product

  • MFA with TOTP, backup codes, and WebAuthn / passkeys
  • Groups, policies, and fine-grained RBAC
  • Access keys and API keys managed at account and service level
  • OAuth 2.0 / OpenID Connect for documented flows
  • Audit logs for sensitive operations
  • Sessions, token rotation, and revocation

Audit & Visibility

Logging, public status, and support follow-up give you an actionable trail

  • Audit logs for mutating operations
  • Support ticket and comment history
  • Hardening and fixes through product iterations
  • SIEM export is not presented as a standard service today
  • Public status page for service visibility
  • Security documentation and internal reviews are evolving

Compliance & Audits

Clear separation between what exists today and what remains on the roadmap

  • GDPR constraints are taken into account in the product and European hosting model
  • ISO 27001 remains on the roadmap
  • SOC 2 Type II remains on the roadmap
  • Impact assessments and project-specific requirements are scoped case by case
  • Notification process exists for security incidents
  • Internal and external reviews depend on context

Certifications & Standards

We separate the current baseline from the certification roadmap.

GDPR Compliance

Applied framework

European data protection requirements are factored into day-to-day operations and contractual exchanges

  • Hosting location and deployment details are shared during commercial or contractual scoping
  • Data handling and responsibilities are framed under French and European law
  • You own your data. Operational access is limited to service needs.
  • Access minimization and role separation are part of the design baseline
  • Notification process exists for security incidents

ISO 27001

Roadmap

Information security management system certification

  • ISO 27001 remains on the roadmap
  • Internal and external reviews depend on context
  • Impact assessments and project-specific requirements are scoped case by case
  • Access minimization and role separation are part of the design baseline
  • Security documentation and internal reviews are evolving

SOC 2 Type II

Planned

Third-party audit of security controls

  • SOC 2 Type II remains on the roadmap
  • Internal and external reviews depend on context
  • SIEM export is not presented as a standard service today
  • Public status page for service visibility
  • Audit logs for sensitive operations

Hosting & Jurisdiction

Platform data is hosted in Europe; exact constraints are defined in your contract.

Security Best Practices

What we recommend doing on your side when you set up resources.

Security Groups

Use security groups to control inbound and outbound traffic to your instances

Recommendation:

Apply least privilege principle: only allow necessary ports and sources

SSH Key Management

Use SSH key pairs instead of passwords for instance access

Recommendation:

Rotate keys regularly and use separate keys per environment

Private Networks

Deploy sensitive services in private networks without public IPs

Recommendation:

Use a bastion host or limit admin access to known IP ranges

Backup Strategy

Plan snapshots or backups according to the service in use

Recommendation:

Follow 3-2-1 rule: 3 copies, 2 different media, 1 offsite

API Authentication

Use API keys with appropriate scopes and expiration

Recommendation:

Never commit API keys to version control, use environment variables

Network Segmentation

Isolate different application tiers in separate networks

Recommendation:

Frontend, backend, and database in different subnets with security groups

How the security baseline moves forward

Controls improve with real usage, direct feedback, and the compliance requirements we hear from customers

Shaped by real constraints

What customers are actually running informs what we harden next

Tracked against standards

Regulatory and contractual requirements are on the roadmap as they come up in practice

Direct technical exchanges

When a project has specific security needs, we scope the controls together

Incident Response & Transparency

Clear communication and an actionable trail when the platform is affected

Detection

  • Platform monitoring, the status page, and support are the current entry points
  • Operational follow-up and audit
  • Customer reports flow through support and the contact page
  • Impact-based prioritization

Handling markers

  • Critical: priority handling
  • High: accelerated handling
  • Medium: handled based on impact
  • Updates through status and support

Responsible Disclosure

If you find something, tell us. We handle reports seriously and without legal threats.

How to Report a Vulnerability

If you've discovered a security vulnerability, please report it responsibly:

  1. 1. Email us at security@nemau-cloud.com
  2. 2. Include steps to reproduce, potential impact, and affected components
  3. 3. Allow us 90 days to investigate and remediate before public disclosure
  4. 4. We'll send an initial reply as soon as possible

Our Commitment:

We will not pursue legal action against researchers who follow responsible disclosure practices.

Questions about our security practices?

We can walk through the controls already in place and the parts that still sit on the roadmap.

Contact the team View availability page