Security and Compliance

Learn about the Security and Compliance of the Nexus Platform

Frequently Asked Questions

All sensitive data, including PII, is handled in accordance to GDPR. The Hexagon MI Privacy Notice is published at https://hexagon.com/legal/mi-privacy-notice.

Nexus is currently deployed in Microsoft Azure and is globally available with regional support. The Nexus roadmap includes deployment into other Cloud providers and will be multi-cloud.

Nexus uses Azure CosmosDB for MongoDB and ElasticSearch, among others. Nexus can support a large number of additional data sources.

Nexus enforces Role-based Access Control (RBAC).

Nexus has compliance to ISO27001 & TISAX. Microsoft Azure is also ISO27001, SOC-2, and FedRAMP compliant.

Yes. Business Continuity and Disaster Recovery Plans are in place and approved by the key stakeholders.

Nexus Architecture is a model-driven architecture with support for distributed data services, event-driven services, and workflow-driven services.

Nexus is a multi-tier architecture protected with best practice architecture and controls.

Nexus uses state-of-the-art continuous malware scanning, real-time intrusion and malware detection, and container scanning.

All system auditing is managed on the cloud. System Events and Application Events are logged to persisted storage and are only accessible to users with the proper security role.

Nexus adopts a Secure Software Development Lifecycle (SDLC) model. As a part of that, we conduct Security Testing SAST/SCA/DAST.

Application Penetration Testing is done by a 3rd party as per our security policy.

Nexus supports many different canonical models.

Nexus uses a layered security approach to provide 24x7 monitoring by our SOC.

All endpoints are authenticated by OAuth2.0 and require a Nexus SSO token. There are no anonymous endpoints.

All APIs will pass through an Application Gateway to enforce minimum requirements (such as rate-limiting and quota management), as well as logging and analytics of API metrics.

Nexus is built on containerized services that are stateless. The persistent storage is decentralized and geo-replicated.

Nexus employees are trained annually on Business Continuity and Disaster Recovery policy and procedures.

Yes, all external files that are imported into Nexus are scanned for malware.

Yes, all code is scanned on every build pipeline at check-in time and is required to pass before it can be deployed.

Nexus has an incident response team and a Security Operation Center monitoring the application environment 24/7. Nexus' hosting partner is SOC Type 2 certified and meets these requirements.

Yes, all third-party developers will be required to show proof of vulnerability scans and penetration tests.

Yes, Nexus has an incident response team and a Security Operation Center monitoring the application environment 24/7.

Vulnerability scans are performed during build time and are continuously run on the deployed environments.

Nexus uses cloud providers that adhere to strict guidelines for physical and environment integrity. Hexagon restricts all access to data, requiring multi-factor authentication and privileged identity management access to request escalation of privilege. All data access is logged and audited regularly.

Yes, Nexus uses a role-based approach to access.

Can't find what you're looking for?

Contact our technical support team who are on hand to answer your questions. Contact us through our online form and we will get right back to you.

© 2024 Hexagon AB and/or its subsidiaries