Trust
Security
VODR Nexus reads your repository to map regulatory obligations. That means you're trusting us with access to your code. Here's exactly how we handle that trust.
Trust
VODR Nexus reads your repository to map regulatory obligations. That means you're trusting us with access to your code. Here's exactly how we handle that trust.
Repository Access
When you run nexus connect, the organism reads your repository through GitHub, GitLab, or Bitbucket OAuth with read-only scope. It extracts six categories of metadata:
That's what we read. Here's what we keep and what we don't.
Data Handling
| Retained (metadata) | Deleted (immediately after extraction) |
|---|---|
| Package name, version, ecosystem | All source file contents |
| Database field name, table name | All function bodies, class definitions |
| AI library name, type, category | All variable names, comments, docstrings |
| Deployment region identifier | All configuration file contents |
| CVE ID, severity, fix version | All Dockerfile and terraform contents |
| AI-BOM document (CycloneDX) | All test files, README contents |
| All git history and commit metadata | |
| All environment variables and secrets | |
| The snapshot file itself (for snapshot uploads) |
Never retained in any form: credentials, API keys, tokens, .env files, private keys, certificates, or any file matching secret patterns.
For nexus scan-local, zero code leaves your machine. Only a package name list is transmitted. Run nexus scan-local --dry-run to see exactly what will be sent before anything is transmitted.
Infrastructure
All customer data is stored in the European Union.
Application Server
Hetzner Cloud CCX33, Falkenstein, Germany. Dedicated vCPU. Not shared hosting.
Reverse Proxy
Cloudflare. DDoS protection, TLS termination, WAF, bot management. The origin server IP is hidden. The Hetzner firewall accepts connections only from Cloudflare IP ranges.
Database
PostgreSQL on localhost. Three roles: application (read/write to application tables only), monitor (read-only for Grafana), replication (backup only). No remote database connections. No database port exposed to the internet.
Encryption
TLS 1.3 on all connections in transit. Encrypted storage at rest on Hetzner infrastructure. API keys hashed with per-key salt using SHA-256. Raw keys are never stored.
Access Control
API key authentication on every request. Per-system ownership verification. Rate limiting per tier (15/50/500/unlimited checks per day). Request body size limits enforced.
Intrusion Prevention
fail2ban monitors SSH and API authentication failures. Automated bans on repeated failures. Automated security updates via unattended-upgrades.
Audit Trail
Every API call is logged with: endpoint, timestamp, API key hash (not the key itself), IP address, response status code, and request outcome. Write operations include rich context: what changed, from what state, to what state, and what the organism showed the customer before the change.
The audit trail is tamper-evident. Each entry includes a chain hash computed from the entry content and the previous entry's hash. Modification of any entry invalidates every subsequent hash in the chain. The organism verifies chain integrity automatically every 15 minutes through its constitution checks.
The audit trail is exportable. Pro and Team customers can export the complete audit trail for any system via the API for regulatory submissions.
OAuth Lifecycle
OAuth tokens are stored hashed, never in plaintext. Tokens are scoped to read-only access. The organism never requests write access to your repository.
Three revocation mechanisms
nexus disconnect revokes the token at the provider, clears the local token, and marks the connection as revoked. Immediate.When a connection is revoked, the token hash is zeroed in the database and the provider is notified to revoke the token on their end. If provider revocation fails due to a network error, you are notified and given the manual revocation URL for your provider's settings.
Third Parties
| Provider | Location | Purpose | Data Received |
|---|---|---|---|
| Hetzner Online GmbH | Germany | Cloud hosting | All customer data (stored on their infrastructure) |
| Stripe, Inc. | US | Payment processing | Email, subscription tier, payment method |
| Anthropic PBC | US | AI inference for classification | System description text only |
| GitHub / GitLab / Bitbucket | Varies | Repository access | Repository contents via customer-granted OAuth (read-only) |
Third-party data sources
Google OSV API — we query Google's open source vulnerability database with package names and versions to check for known CVEs. No customer-identifying data is transmitted. This is a public API query, not a data processing relationship.
No other third parties receive customer data. We do not sell data. We do not use customer data for advertising. We do not use customer repository data or system descriptions to train AI models.
No Tracking
No analytics cookies on this website. No tracking pixels. No third-party scripts. No behavioral analytics. No fingerprinting. The vodr.ai website serves static HTML and CSS. It does not track you.
The CLI does not phone home. It calls the VODR API only when you run a command. It does not send telemetry, usage analytics, or crash reports in the background. Every API call is initiated by your explicit action.
Accountability
VODR Nexus is itself an AI system subject to regulatory obligations. The organism classifies itself under the same frameworks it applies to customers. Its own compliance status, constitution check results, classifier accuracy, known limitations, and data verification coverage are published on our self-assessment page.
We hold ourselves to the same standard we hold our customers to. If the organism has a governance failure, it appears on the self-assessment page before anyone asks.
View self-assessment →Vulnerability Reporting
If you find a security vulnerability in VODR Nexus, report it to security@vodr.ai. We will acknowledge receipt within 24 hours and provide an initial assessment within 72 hours. We do not pursue legal action against researchers who report in good faith.
Contact
Security questions: security@vodr.ai
Privacy and data protection: privacy@vodr.ai
General support: support@vodr.ai