Security & Trust Center

Platform Architecture

Enterprise-grade infrastructure with global resilience

Google Cloud Platform

Hosted on GCP with multi-region deployment (US, Europe) for high availability and data residency compliance.

Defense in Depth

Layered security with Global HTTPS Load Balancer, Cloud Armor WAF, and VPC firewalls protecting every layer.

Zero-Integration Design

No agents, no API keys, no privileged access required. Discover assets from public sources without expanding attack surface.

Data Protection & Encryption

Your data is encrypted at rest and in transit

Encryption at Rest

✓ AES-256 encryption for all data stored on GCP (databases, logs, backups)
✓ Google Cloud KMS for key management with automated annual rotation
✓ Immutable backups with encryption and secure deletion capabilities
✓ HSM-backed key storage ensuring keys are never exposed in plaintext

Encryption in Transit

✓ TLS 1.2+ enforced via GCP SSL policy for all external connections
✓ HTTPS-only access through Global Load Balancer with automatic TLS termination
✓ Internal encryption for traffic between Google Cloud services
✓ SendGrid over TLS for automated email notifications

Data Classification & Handling

We maintain a comprehensive Data Classification & Handling Policy with three levels:

Public: Information intended for public distribution
Internal: Business information for internal use only
Confidential: Sensitive data requiring strict protection controls

Data Lifecycle Management

✓ Production data isolation: Production data never replicated to non-production environments
✓ Test data sanitization: Only synthetic or anonymized data used for development/testing
✓ Secure deletion: Cryptographic erasure (NIST 800-88 aligned) for decommissioned storage

Access Control & Authentication

Least-privilege access with comprehensive audit trails

Authentication & Identity

✓ Firebase Authentication with SSO/SAML integration for enterprise customers
✓ Multi-factor authentication (MFA) enforced for all admin and engineering access
✓ OTP/SSO only - no local passwords stored or managed
✓ Adaptive lockout and risk-based login challenges via Google/SSO
✓ Session management: 30-minute token refresh, 60-minute expiration

Access Management

✓ Google Cloud IAM with role-based access control (RBAC) and least-privilege principles
✓ Quarterly access reviews for all administrative accounts and entitlements
✓ Automated deprovisioning upon employee status changes
✓ Comprehensive audit logging of all access and administrative actions
✓ Restricted physical access via Google Cloud data center controls (CCTV, biometrics, guards)

Secure Software Development

Security built into every phase of development

Development Phase

✓ OWASP-aligned secure coding standards
✓ Mandatory peer code review
✓ Static Application Security Testing (SAST)
✓ Threat modeling and security requirements

Testing Phase

✓ Dynamic Application Security Testing (DAST)
✓ Automated vulnerability scanning
✓ Input validation and injection prevention
✓ Production/non-production environment segregation

Release Phase

✓ CI/CD pipeline with security gates
✓ Automated testing before deployment
✓ Change management with risk assessment
✓ Debug code removal verification

GitHub Security Controls

Private repositories with MFA enforcement, role-based access, and audit logging. Source code access restricted to authorized developers only.

Network & Application Security

Multi-layered defense protecting against modern threats

Cloud Armor WAF

✓ L3/L4/L7 DDoS protection with Google's global Anycast network absorbing volumetric attacks
✓ Rate limiting and throttling to prevent abuse and resource exhaustion
✓ Adaptive protection with automatic rule tuning based on traffic patterns
✓ Deep packet inspection for detecting and blocking malicious payloads

Network Controls

✓ VPC firewall rules with default-deny and least-privilege network access
✓ Network segmentation isolating production, staging, and development environments
✓ VPC Flow Logs monitoring for network anomaly detection
✓ Quarterly firewall rule reviews with business justification documentation

Application Security

✓ Input validation and parameterized queries preventing SQL injection
✓ Output encoding preventing Cross-Site Scripting (XSS) attacks
✓ ModSecurity WAF providing host-based application layer inspection

✓ API security with authentication, rate limiting, and IP filtering
✓ Secure error handling preventing information disclosure
✓ Tenant isolation via authentication and database segregation

Operating System Hardening

✓ Ubuntu LTS with minimal services and automatic security updates
✓ Baseline hardening following industry best practices (CIS benchmarks)
✓ Critical patches applied immediately with customer notification

Monitoring & Incident Response

24/7 visibility and rapid response capabilities

Continuous Monitoring

✓ Google Cloud Operations for infrastructure and application performance monitoring
✓ Comprehensive audit logging of all administrative actions and security events
✓ Automated alerting for suspicious activity and threshold violations
✓ Log retention with tamper-proof storage and restricted access
✓ Regular log reviews for security event analysis

Incident Management

✓ Formal incident response policy with defined roles and procedures
✓ Rapid escalation paths for security incidents
✓ Customer notifications for incidents affecting service availability or data
✓ Post-incident reviews and continuous improvement process
✓ Vulnerability disclosure program via info@nodezro.com

Compliance & Independent Testing

Verified security through regular assessments

Penetration Testing

✓ Annual external testing by independent third-party security firms
✓ OWASP/PTES methodology covering network and application layers
✓ Remediation verification with follow-up retesting
✓ Most recent assessment: Fortifi (January 2025) with retest validation

Internal Audits

✓ Quarterly access control audits reviewing accounts and permissions
✓ Regular logging audits with monitoring and periodic reviews
✓ SDLC control audits ensuring secure development practices
✓ Annual policy reviews keeping documentation current

Standards & Frameworks

Development

• OWASP SAMM
• Secure SDLC
• SAST/DAST

Architecture

• CSA Best Practices
• Google Cloud Security Reference
• Defense in Depth

Data Protection

• NIST 800-88 (Secure Deletion)
• NIST SP 800-57 (Key Management)
• GDPR Compliance

Business Continuity & Resilience

Built for availability and rapid recovery

Multi-Region Deployment

Active deployment across multiple GCP regions (US Central, Europe West, Europe North) for high availability and data residency compliance.

Backup & Disaster Recovery

Automated daily backups with immutable storage, Google Cloud Backup and DR for point-in-time recovery, and tested restore procedures.

High Availability

99.9% uptime SLA supported by redundant infrastructure, automated failover, and 24/7 monitoring with alerting.

Change Management

Our Platform Update Policy defines risk-based change categories with appropriate notification windows and rollback procedures:

Patch

Immediate, security-critical fixes

Maintenance

Minor updates, 24h notice

Minor

Feature updates, 72h notice

Major

Breaking changes, 2 week notice

Security Contact

We welcome security researchers, customers, and partners to contact us regarding security matters.

Security Inquiries

info@nodezro.com

Privacy Matters

info@nodezro.com

General Contact

info@nodezro.com

For vulnerability disclosures, please include detailed information about the issue, steps to reproduce, and any relevant supporting materials. We typically respond within 24-48 hours.

Last updated: November 2025 • Security documentation available upon request for enterprise customers