Security & Compliance

Built for enterprise procurement. Read-only OAuth, stateless architecture, regional data sovereignty, and a transparent SOC 2 Type I roadmap.

Trust signals at a glance

🔒 OAuth Read-Only 🇪🇺 GDPR Compliant 🇧🇷 LGPD Compliant 💳 Stripe PCI DSS L1 🟦 Microsoft Marketplace Verified 📋 SOC 2 Type I — In Progress

Nexus Hub is engineered with privacy and security as design constraints, not afterthoughts. The architecture is stateless: customer Work Item content is processed in-memory and never persisted to disk. Only aggregated, anonymous telemetry leaves your Azure DevOps tenant.

Architectural security controls

Implemented

Read-only OAuth scopes

The extension requests only vso.work and vso.project. It cannot create, modify, or delete Work Items. Audit-friendly: every API call is read-only by design.

Implemented

Stateless backend

The Nexus FastAPI service runs on Hugging Face Spaces with ephemeral storage. Work Item content sent for analysis is held in memory for the duration of the request and discarded after the response is returned. No customer content persists on disk.

Implemented

Per-organization licensing isolation

Subscription state is keyed on Azure DevOps Organization GUID (X-Nexus-Org-ID). Cross-tenant data access is impossible by API design — there is no shared tenant context.

Implemented

TLS 1.2+ in transit

All communication between the extension, the Stripe checkout, and the backend uses TLS 1.2 or higher. Stripe handles PCI DSS Level 1 obligations for payment instruments.

Implemented

Anonymous telemetry only

Outgoing telemetry is limited to extension version, error counts, and feature-usage counters. No user identifiers, no work-item content, no tenant identifiers beyond the Org GUID required for licensing.

Implemented

Stripe BYOL billing

Payment processing is delegated to Stripe under their PCI DSS Level 1 certification. TRX22 never sees, stores, or processes raw payment instruments.

In Progress

SOC 2 Type I audit

Engaged with a licensed CPA firm. Trust Service Criteria covered: Security, Availability, Confidentiality. Target completion: Q4 2026. See roadmap below.

In Progress

Vulnerability disclosure program

Email security@trx22.com.br for responsible disclosure. PGP key publication scheduled with the SOC 2 Type I rollout.

Planned

SOC 2 Type II audit

Continuation of Type I with 12-month observation window. Target: Q4 2027.

Planned

ISO 27001 certification

Evaluation phase. Will be considered after SOC 2 Type II based on enterprise customer demand.

SOC 2 Type I roadmap

The audit is being conducted against the AICPA Trust Service Criteria. Below is the operational roadmap; specific evidence and findings are available under NDA to qualified prospective customers.

Q2 2026 · Started

Readiness assessment

Initial gap analysis against SOC 2 Trust Service Criteria (Security, Availability, Confidentiality). Engaged readiness platform (Vanta or Drata under evaluation).

Q3 2026 · Target

Control implementation & documentation

Information security policy. Acceptable use policy. Incident response plan. Vendor management program. Background check process. Training records. Access reviews quarterly.

Q3 2026 · Target

Evidence collection window

Continuous monitoring of access reviews, vulnerability scans, change management, incident logs, and backup tests. Type I requires evidence at a single point in time; Type II requires sustained evidence over 12 months.

Q4 2026 · Target

External CPA audit

Licensed CPA firm performs the formal audit, producing the SOC 2 Type I report. Report available to qualified customers under NDA.

Q4 2027 · Long-term

SOC 2 Type II

Sustained operating effectiveness over 12-month observation period. Higher assurance than Type I; expected by enterprise procurement at scale.

Data handling — what leaves your tenant

What we send to the Nexus backend

  • Throughput history — number of Work Items closed per week (numbers only, no titles)
  • Active simulation payload — for AI Semantic Adjustment: titles and descriptions of items being analyzed (held in memory, not persisted)
  • Identifiers — Azure DevOps Organization GUID (X-Nexus-Org-ID), Project ID, optional Extension ID for routing

What we never send

  • User identifiers (names, emails, AAD object IDs)
  • Comments, attachments, history
  • Pull request data, build data, pipeline data
  • Anything outside the requested scopes (vso.work + vso.project)

Data residency

The backend currently runs on Hugging Face Spaces in their default region rotation. Customers requiring specific regional residency (US-only, EU-only, BR-only) are encouraged to contact enterprise@trx22.com.br — dedicated regional deployments are available under enterprise agreements.

Need a security review?

For SIG questionnaires, vendor risk assessments, or DPA execution, write to security@trx22.com.br. We respond within 2 business days.

For enterprise procurement (POs, custom invoicing, multi-org licensing): enterprise@trx22.com.br