Trust
Nexus connects people across communities, and that means we handle personal and professional information you trust us with. This page explains how we handle your data, our GDPR position, the vendors we rely on, and where we are on our security roadmap.
Trust is a system, not a statement. The way we handle your data, the vendors we rely on, and the commitments we make to EU and enterprise customers all live on this page so you can audit them in one place.
If you are evaluating Nexus for your community or organization and you need a document we do not yet publish here — a signed DPA, our security questionnaire response, a specific compliance attestation — email privacy@nexus.app and we will respond within five business days.
Nexus is a platform for communities to connect their members. That means we handle two kinds of data: data about the people in a community (names, emails, profile information, the interactions they have in Nexus) and data about the communities themselves (member lists, admin configuration, billing details).
Identity and contact data you provide when you create an account; profile content you publish inside a community; meeting content (calendar bookings, session transcripts when you explicitly enable transcription); and technical usage data we use to operate and secure the service.
Primary application data is stored in PostgreSQL hosted on AWS. Files and uploads are stored in AWS S3. We do not sell, trade, or rent your data. A full list of sub-processors who may access data on our behalf is below.
We retain personal data only as long as we need it for the purpose it was collected. When an account is deleted, personal data is removed from production systems within 30 days, with the category-specific exceptions below.
If you are an individual in the EU, UK, or EEA using Nexus, the General Data Protection Regulation (GDPR) and UK GDPR give you a set of rights over your personal data. We comply with those regulations and will honor requests from any user worldwide that fall within them.
For community members, Nexus typically acts as a data processor on behalf of the community operator (our customer), who is the data controller. For the Nexus account itself — billing, admin users, platform-level activity — we act as the data controller.
Where we act as data controller, we rely on the following lawful bases under Article 6 of the GDPR:
Where we act as processor for a community operator, the operator is responsible for determining the lawful basis for processing community member data, and we process that data on their documented instructions.
You have the right to access the personal data we hold about you, correct it, delete it, restrict or object to processing, and receive it in a portable format. You can exercise most of these rights from your account settings. For anything that cannot be handled in-app, email privacy@nexus.app and we will respond within 30 days.
Some of our sub-processors operate in the United States. Where personal data moves from the EU, UK, or EEA to a country without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum as the transfer mechanism.
We offer a Data Processing Addendum (DPA) to customers who need one for their own GDPR compliance. Email privacy@nexus.app and we will send it over for signature.
Where we rely on consent as our lawful basis, consent is opt-in, granular, and withdrawable at any time. We keep an audit record of when and how consent was given — for example, the timestamp at which you accepted our Terms of Service and Privacy Policy at signup is recorded by our identity provider.
We do not send marketing emails. The only emails we send are transactional and service-related — account notifications, security alerts, and community updates you have access to as a member.
Transcription is off by default. The meeting host can enable it per session, and all participants are notified before recording begins. Each consent event is logged with the user, session, and timestamp. Either participant can stop transcription at any time, and a transcript can be deleted by the participants or the community admin.
These are the third parties we rely on to operate Nexus. They may process personal data on our behalf and are bound by contractual obligations equivalent to those we make to you.
| Vendor | Purpose | Region |
|---|---|---|
| Amazon Web Services (AWS) | Application hosting, database, file storage (S3) | United States |
| Clerk | Authentication and identity management | United States |
| OpenAI | AI model inference for platform features | United States |
| Daily.co | 1:1 video sessions and transcription | United States / EU |
| Resend | Transactional email delivery | United States |
| Sentry | Error monitoring and observability | United States |
We have executed data processing agreements with each sub-processor listed above. Where personal data is transferred outside the EU, UK, or EEA, those agreements incorporate the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum, where applicable) as the transfer mechanism.
We will notify customers in advance of any material change to this list. To subscribe to sub-processor update notifications, email privacy@nexus.app.
Data is encrypted in transit using TLS 1.2 or higher. Data at rest in our databases and file storage is encrypted using AES-256.
Access to production systems is limited to authorized Nexus personnel, gated by single sign-on and multi-factor authentication, and logged. Engineers are granted the minimum privileges necessary to do their work.
We log application and infrastructure events and alert on anomalies. Errors are captured through Sentry for investigation.
Code changes are reviewed before deployment. Dependencies are monitored for known vulnerabilities, and we update promptly when issues are disclosed.
SOC 2 Type II: We are currently preparing for a SOC 2 Type II audit. We will publish the report here, available under NDA, once the audit is complete. If you need visibility into our controls before then, we will share our in-progress control documentation under NDA — email security@nexus.app.
GDPR: See the GDPR section above.
CCPA / CPRA: California residents have the rights to know, access, delete, correct, and port their personal information, and the right to non-discrimination for exercising them. We do not sell or share personal information for cross-context behavioral advertising. Full disclosures are in the California section of our Privacy Policy.
Other frameworks: If your procurement process requires a specific standard (ISO 27001, HIPAA, etc.) that we have not yet pursued, tell us — it helps us prioritize.
If we discover a security incident that affects your data, we will notify you without undue delay, and in any event within the timeframes required by applicable law (for GDPR-covered incidents, within 72 hours of becoming aware). Notifications will describe what happened, what data was affected, what we are doing to contain and remediate it, and what you can do in response.
If you believe you have discovered a vulnerability in Nexus, please report it to security@nexus.app. We will acknowledge your report within two business days.
The documents below are the binding versions of the policies referenced on this page.
Privacy, data subject requests, DPAs: privacy@nexus.app
Security issues, vulnerability reports, SOC 2 documentation: security@nexus.app