Security & Trust — NUL Systems

A note from our founder. NUL Systems is a governance, risk, and compliance platform. The trust you place in us to handle your policies and transaction data is not something we take lightly. This page describes our current security posture, the practices we follow today, and the roadmap we are executing as we scale. We would rather tell you exactly where we are than overstate our maturity.

1. Our Security Principles

We operate NUL Systems according to four principles:

Least privilege. Every employee and system has only the access needed to do its job, and nothing more.
Defense in depth. Security is applied in layers so that no single failure exposes customer data.
Secure by default. Encryption, access controls, and monitoring are configured from the start, not added on later.
Continuous verification. We treat compliance as an ongoing practice rather than a one-time audit. We use NUL itself to monitor our own governance posture.

2. Infrastructure and Hosting

NUL Systems is hosted on Fly.io, which maintains world-class physical and network security, including SOC 2 Type II, ISO 27001, and other industry-standard certifications. Our infrastructure is hosted in the US-East region (Ashburn, Virginia).

We use modern infrastructure practices including container orchestration, infrastructure-as-code, and automated deployment pipelines. Network traffic is isolated using virtual private networks and security groups, and access to production infrastructure is limited to authorized engineers through multi-factor authentication.

3. Encryption

3.1 Encryption in Transit

All data transmitted between your browser, our APIs, and our infrastructure is encrypted in transit using TLS 1.2 or higher. We enforce HTTPS across all endpoints and do not support insecure protocols.

3.2 Encryption at Rest

Customer Data stored in our systems, including databases, object storage, and backups, is encrypted at rest using AES-256 encryption. Encryption keys are managed by each infrastructure provider's key management service (KMS) with strict access controls; we do not layer application-level encryption on top.

3.3 Passwords and Credentials

User passwords are never stored in plaintext. We hash passwords using industry-standard algorithms (bcrypt or equivalent) with unique salts. API keys and secrets are stored in dedicated secret management systems.

4. Data Isolation

NUL Systems is a multi-tenant SaaS platform operating on a shared-database, shared-schema model. Customer Data is logically isolated by organization_id scoping enforced in the application and authentication layers: every authenticated request is bound to the caller's organization via a signed JWT, and every tenant-scoped query filters on that organization ID. We additionally use Postgres Row-Level Security as a defense-in-depth control at the database layer.

Access to Customer Data by our own team is limited, logged, and auditable.

5. Access Controls

5.1 User Access

Customer accounts require a verified email address. We support strong passwords and plan to offer single sign-on (SSO) and multi-factor authentication (MFA) as the Service matures. Session tokens expire after a period of inactivity.

5.2 Internal Access

Access to production systems, customer data, and sensitive infrastructure is restricted to authorized personnel on a least-privilege basis. All internal access requires multi-factor authentication and is logged for audit purposes. We do not access Customer Data except as necessary to provide support or investigate an operational issue, and only with appropriate authorization.

6. Backups and Disaster Recovery

Backups of Customer Data are managed by our infrastructure providers. Our managed Postgres performs continuous write-ahead log (WAL) archival and daily snapshots; our managed graph database (Neo4j Aura) performs daily snapshots. Backups are encrypted and stored in a region separate from the primary. We maintain a disaster recovery plan with defined recovery time and recovery point objectives, and we will conduct and document our first end-to-end restore drill before general availability.

7. Monitoring and Incident Response

We continuously monitor our infrastructure and application for availability, performance, and security signals. This includes:

Application performance monitoring and error tracking
Infrastructure logging and alerting
Unusual access pattern detection
Automated vulnerability scanning of our codebase and dependencies

We maintain an incident response plan covering detection, triage, containment, eradication, recovery, and post-incident review. In the event of a security incident affecting your data, we will notify you without undue delay and in accordance with applicable law.

8. Secure Development Practices

We follow modern secure software development practices:

Code review required before changes merge to production
Automated testing and continuous integration pipelines
Dependency vulnerability scanning and automated updates
Separation of development, staging, and production environments
Version-controlled infrastructure and configuration

9. Subprocessors

We use a limited set of trusted third-party service providers ("subprocessors") to operate NUL Systems. Each subprocessor is evaluated for security and contractually bound to appropriate data protection commitments. Our current subprocessors include:

Stripe, payment processing (SOC 1, SOC 2, PCI DSS Level 1)
Fly.io, application hosting and managed Postgres, US-East region (SOC 2 Type II, ISO 27001)
Supabase, managed Postgres database (SOC 2 Type II)
Neo4j Aura, managed graph database for the policy graph (SOC 2 Type II)
Resend, transactional email delivery

We update this list as our service providers change. Material changes will be communicated to active customers.

10. Compliance and Certifications

Where we are today. NUL Systems is in its pre-audit phase. We are actively building the control environment required for SOC 2 Type I, with a target kickoff alongside our first enterprise deployment. We will move to Type II within twelve months of Type I issuance. In the meantime, our hosting providers (listed in Section 9) maintain SOC 2 Type II, ISO 27001, and other industry certifications that underpin the platform.

Our compliance roadmap:

Today: Operating on SOC 2 / ISO 27001 certified infrastructure; internal controls aligned to SOC 2 Trust Services Criteria
Near term: SOC 2 Type I formal audit kickoff with our first enterprise customer
Within 12 months of Type I: SOC 2 Type II report issuance
Evaluating: ISO 27001, HIPAA readiness, and additional frameworks as customer demand dictates

11. Your Role in Security

Security is a shared responsibility. We protect the Service and your data at the infrastructure and application level. You are responsible for:

Choosing a strong, unique password for your account
Keeping your credentials confidential
Enabling multi-factor authentication when available
Managing who has access to your account and reviewing access regularly
Notifying us immediately of any suspected unauthorized access

12. Responsible Disclosure

We welcome reports from security researchers and the broader community. If you believe you have discovered a security vulnerability in NUL Systems, please report it responsibly.

Contact: security@delphiinsights.us

We ask that you give us a reasonable time to investigate and remediate before public disclosure. We will acknowledge your report promptly and keep you informed of our progress. We do not currently operate a paid bug bounty program, but we recognize researchers who report in good faith.

13. Questions?

We believe transparency is the foundation of trust. If you are evaluating NUL Systems and need more detail on any of the above for a vendor security review, procurement process, or internal risk assessment, we are happy to help.

Delphi Insights, LLC

Security inquiries: security@delphiinsights.us

General contact: info@delphiinsights.us

End of Security & Trust Page