New: WhatsApp integration is live — connect your chatbot to WhatsApp Business. See what's new →

NexaGPT
Security

Enterprise-grade security

Your data — and your customers' data — is protected at every layer. NexaGPT is built for teams that take security seriously.

🔐

End-to-end encryption

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Your training content and conversation data are never stored in plain text.

🏢

Role-based access control

OWNER, ADMIN, and MEMBER roles with page-level permission granularity. Limit who can see leads, analytics, billing, or chatbot settings.

🔑

API key scopes

API keys support fine-grained scopes (read, write, admin). Set expiry dates and revoke keys instantly from your dashboard.

📋

GDPR compliant

Full data residency controls, right-to-deletion support, data processing agreements (DPA) available for enterprise customers.

🛡️

SOC 2 Type II

NexaGPT infrastructure is audited annually against the SOC 2 framework. Reports available under NDA for enterprise customers.

🔒

Multi-tenant isolation

Every organization's data is fully isolated at the database level. White-label child organizations have strict data boundaries.

Security practices

  • Passwords hashed with bcrypt (cost factor 12)
  • JWT tokens with short expiry + refresh token rotation
  • Rate limiting on all authentication endpoints
  • Webhook payloads signed with HMAC-SHA256 secrets
  • Regular dependency audits and automated vulnerability scanning
  • Infrastructure hosted on AWS with private VPC networking
  • Database backups every 6 hours, retained for 30 days
  • Incident response SLA: critical issues patched within 24 hours

Enterprise security add-ons

  • SSO via SAML 2.0 / Okta / Azure AD
  • Custom data residency (EU, US, APAC)
  • Data Processing Agreement (DPA)
  • Audit logs with user activity trail
  • IP allowlist / VPN enforcement
  • Dedicated infrastructure option
Talk to our security team →

Security questions? Talk to our team.

We're happy to share our security documentation, DPA, or SOC 2 reports.