Security at NexStock

Your data is safe with us

We have designed NexStock with security as a first-class concern — not an afterthought. Here is exactly how we protect your business data.

Encryption in Transit

  • TLS 1.3 enforced on all connections
  • HTTP Strict Transport Security (HSTS) enabled
  • HTTPS-only — no unencrypted traffic accepted
  • Certificate transparency monitoring

Authentication

  • Passwords hashed with bcrypt (cost factor 12)
  • JWT access tokens expire after 15 minutes
  • Refresh token rotation on every use
  • Email OTP required for sensitive operations

Data Protection

  • Data at rest encrypted with AES-256
  • Multi-tenant isolation via organizationId scoping
  • Parameterized queries prevent SQL injection
  • No cross-tenant data access possible

API Security

  • Rate limiting on all endpoints
  • HMAC-SHA256 signed webhook payloads
  • Scoped API keys with least-privilege access
  • SameSite=Strict cookie policy

Overview

NexStock stores sensitive business data — inventory, orders, supplier relationships, and customer records. We take this responsibility seriously. Security is not a feature we layered on top; it is woven into how we build and operate the platform.

This page describes the technical and operational security controls we have in place. If you are a security researcher and have found a potential vulnerability, please see the Vulnerability Disclosure section below.

Infrastructure Security

Transport Encryption

All traffic between your browser (or API client) and NexStock is encrypted using TLS 1.3. We do not support TLS 1.0 or 1.1. HTTP Strict Transport Security (HSTS) is enforced with a minimum one-year max-age, preventing protocol downgrade attacks.

Encryption at Rest

All data stored in our database and object storage is encrypted at rest using AES-256. Encryption keys are managed by our cloud provider's key management service (KMS) and rotated on a regular schedule. Backups are also encrypted.

Infrastructure Hardening

Our infrastructure runs on managed cloud services with network isolation, private subnets, and firewall rules that deny all traffic by default. Database instances are not publicly accessible — they are only reachable from within our private network. We apply security patches promptly and monitor for CVEs affecting our dependencies.

Authentication

Password Hashing

Passwords are never stored in plaintext. We hash passwords using bcrypt with a cost factor of 12, which requires significant computational work to verify. This makes brute-force attacks against our database impractical even in the event of a breach.

JWT Tokens & Session Management

After login, your session is managed using a two-token system:

  • Access token — A short-lived JWT signed with RS256, valid for 15 minutes. Stored in an HttpOnly, Secure, SameSite=Strict cookie. Cannot be accessed by JavaScript.
  • Refresh token — An opaque token valid for 30 days, also stored in an HttpOnly, Secure cookie. Rotated on every use — using a refresh token invalidates it and issues a new one. If a stolen refresh token is detected (reuse detection), all sessions for that account are immediately invalidated.

OTP Email Verification

Email address verification uses a time-limited OTP (one-time password) sent via Resend. OTPs expire after 10 minutes and are single-use. Sensitive account operations — such as changing your email address or deleting your account — require re-verification.

Brute Force Protection

Login endpoints are rate-limited per IP and per account. After a configurable number of failed attempts, the account is temporarily locked and the owner is notified by email. This mitigates credential-stuffing and brute-force attacks.

Data Isolation

NexStock is a multi-tenant platform. Every database query that touches user data includes an organizationId filter at the query level. This is enforced in our data access layer — not just at the API route level — ensuring that no request can ever return data belonging to another organization.

Role-based access control (RBAC) governs what actions each team member can perform within an organization. Owners, admins, and members have distinct permission levels enforced server-side on every request.

All database queries use parameterized statements — never string interpolation — preventing SQL injection attacks.

API Security

Rate Limiting

All API endpoints — both the app API and the public API — are rate-limited. Limits are applied per IP address and per API key. Exceeding the rate limit returns a 429 Too Many Requests response with a Retry-After header.

Webhook Signatures

All outgoing webhooks are signed with HMAC-SHA256 using a per-endpoint secret. The signature is included in the X-NexStock-Signature request header. Consumers should always verify this signature before processing webhook payloads. See the developer docs for verification examples.

API Keys

API keys can be scoped to specific permissions (read-only, write, admin) following the principle of least privilege. Keys are displayed only once at creation time and stored as a hashed value — we cannot recover a lost key. Keys can be revoked instantly from the dashboard.

CORS & CSRF Protection

Cross-Origin Resource Sharing (CORS) is configured to allow only trusted origins. The SameSite=Strict cookie attribute provides CSRF protection at the browser level. State-mutating API endpoints additionally validate the request origin.

Audit Logging

NexStock maintains an immutable audit log of all significant mutations within your organization. Every create, update, and delete action on core resources (products, orders, suppliers, customers, warehouses, team members) is recorded with the actor, timestamp, IP address, and a diff of what changed.

Audit logs are:

  • ·Append-only — existing entries cannot be modified or deleted by users.
  • ·Scoped to your organization — only accessible by Owners and Admins within your account.
  • ·Retained for the lifetime of your account and exported on request.
  • ·Available for API access on supported plans.

Data Residency

NexStock is currently hosted on infrastructure based in the United States. Data is replicated for redundancy within the same region. We do not currently offer region-specific hosting.

If your organization has strict data residency requirements (for example, EU data staying within the EEA), please contact us at security@nexstock.com to discuss your situation. Regional data residency options are on our roadmap.

Security Roadmap

We are continuously investing in security. Planned improvements include:

  • SOC 2 Type II: We are working toward SOC 2 Type II certification. This will provide independent third-party validation of our security controls.
  • TOTP / Authenticator app MFA: Two-factor authentication via authenticator apps (TOTP) is planned as an additional layer on top of email OTP.
  • Single Sign-On (SSO): SAML 2.0 and OpenID Connect SSO for enterprise customers, enabling integration with your identity provider.
  • EU data residency: The ability to choose data residency in the European Union for GDPR-sensitive workloads.
  • Penetration testing: Annual third-party penetration testing with results summary published here.

Vulnerability Disclosure

If you discover a security vulnerability in NexStock, we ask that you disclose it to us responsibly. Do not publicly disclose the issue until we have had a reasonable opportunity to investigate and address it.

To report a vulnerability, email security@nexstock.com with:

  • ·A description of the vulnerability and its potential impact.
  • ·Steps to reproduce or a proof-of-concept.
  • ·Any relevant screenshots or technical details.

Security contact

Email: security@nexstock.com

We aim to acknowledge reports within 24 hours and provide an initial assessment within 72 hours. We deeply appreciate responsible disclosure.