Nemau Cloud
Security & Compliance

Security & Compliance

Enterprise-grade security with advanced IAM, comprehensive auditing, and GDPR compliance. Our solutions evolve with your security requirements, designed for European data sovereignty.

Discuss Security RequirementsView SLA & Guarantees

Defense in Depth

Multi-layered protection from physical infrastructure to application level

Physical Security

Proprietary Tier 3+ HDS-certified datacenter with 24/7 supervised access and full infrastructure redundancy

  • 24/7 on-site security personnel
  • Biometric access controls
  • Video surveillance with 90-day retention
  • Secure cage and cabinet access
  • Visitor escort policy
  • Dual power feeds with UPS and generators

Network Security

Multi-layered network protection and isolation

  • VXLAN network isolation per tenant
  • Stateful security groups (firewall rules)
  • Private networks with no internet exposure
  • BGP routing with prefix filtering
  • Automatic anomaly detection

Data Encryption

Encryption at rest and in transit

  • AES-256 encryption for block volumes (LUKS)
  • TLS 1.3 for all API communications
  • Encrypted Swift object storage
  • Customer-managed encryption keys (CMEK) support
  • Secure key storage with HashiCorp Vault
  • Encrypted backups and snapshots

Advanced IAM & Access Control

Enterprise-grade identity and access management to meet modern security requirements

  • Multi-factor authentication (MFA) with multiple providers
  • Fine-grained role-based access control (RBAC)
  • Automated API key rotation policies
  • OAuth 2.0, SAML, and OpenID Connect support
  • Comprehensive audit logging for compliance
  • Advanced session management with anomaly detection

Auditing & Compliance Monitoring

Advanced logging, auditing, and monitoring designed for modern security compliance

  • Real-time intrusion detection systems (IDS)
  • Centralized log aggregation with long-term retention
  • Continuous vulnerability scanning and remediation
  • Advanced SIEM with threat intelligence integration
  • Automated incident response with detailed audit trails
  • Regular third-party penetration testing and security audits

Compliance & Audits

Regular audits and compliance validation

  • GDPR compliant by design
  • ISO 27001 certification (In Progress - Q3 2026)
  • SOC 2 Type II audit (Planned - Q4 2026)
  • Data Protection Impact Assessments
  • Breach notification procedures (<72h)
  • Regular internal and external audits

Certifications & Standards

Transparent about our current compliance status and certification roadmap.

GDPR Compliance

Compliant

Full compliance with EU General Data Protection Regulation

  • Proprietary HDS-certified datacenter in France, suited for public sector, healthcare, and local government requirements
  • Governed by European laws, not subject to foreign data requests
  • You own your data. We never access, sell, or mine it.
  • GDPR compliance built into every system and process
  • Breach notification procedures (<72h)

ISO 27001

In Progress

Information security management system certification

  • ISO 27001 certification (In Progress - Q3 2026)
  • Regular internal and external audits
  • Data Protection Impact Assessments
  • GDPR compliance built into every system and process
  • Regular third-party penetration testing and security audits

SOC 2 Type II

Planned

Third-party audit of security controls

  • SOC 2 Type II audit (Planned - Q4 2026)
  • Regular internal and external audits
  • Advanced SIEM with threat intelligence integration
  • Automated incident response with detailed audit trails
  • Comprehensive audit logging for compliance

European Data Sovereignty

All data is stored and processed exclusively within the European Union. We do not transfer data outside the EU, ensuring full compliance with GDPR requirements and European privacy laws.

Security Best Practices

Recommended security practices for managing your infrastructure.

Security Groups

Use security groups to control inbound and outbound traffic to your instances

Recommendation:

Apply least privilege principle: only allow necessary ports and sources

SSH Key Management

Use SSH key pairs instead of passwords for instance access

Recommendation:

Rotate keys regularly and use separate keys per environment

Private Networks

Deploy sensitive workloads in private networks without public IPs

Recommendation:

Use bastion hosts or VPN for administrative access

Backup Strategy

Regular automated backups with encrypted storage

Recommendation:

Follow 3-2-1 rule: 3 copies, 2 different media, 1 offsite

API Authentication

Use API keys with appropriate scopes and expiration

Recommendation:

Never commit API keys to version control, use environment variables

Network Segmentation

Isolate different application tiers in separate networks

Recommendation:

Frontend, backend, and database in different subnets with security groups

Solutions That Evolve With You

We listen to our customers and continuously adapt our platform to meet modern security requirements

Customer-Driven Development

Your feedback shapes our roadmap-security features designed with real-world needs in mind

Adapting to Standards

We continuously update our security capabilities to meet evolving compliance requirements

Security Partnership

Work directly with our security team to implement controls that match your specific needs

Incident Response & Transparency

Transparent communication and rapid response

Detection

  • 24/7 automated monitoring with human oversight
  • Security Operations Center (SOC) oversight
  • Customer-reported issues tracked immediately
  • Severity classification (Critical to Low)

Response Timeline

  • Critical: 15-minute initial response
  • High: 1-hour initial response
  • Medium: 4-hour initial response
  • Status updates every 2-4 hours

Responsible Disclosure

We welcome security researchers to help us keep Nemau Cloud secure.

How to Report a Vulnerability

If you've discovered a security vulnerability, please report it responsibly:

  1. 1. Email us at security@nemau-cloud.com
  2. 2. Include steps to reproduce, potential impact, and affected components
  3. 3. Allow us 90 days to investigate and remediate before public disclosure
  4. 4. We'll acknowledge your report within 24 hours

Our Commitment:

We will not pursue legal action against researchers who follow responsible disclosure practices.

Questions about our security practices?

Our security team is happy to discuss your specific requirements

Contact Security Team View availability page