Security is not a feature we bolt on at the end. It is the way we build. Below is a plain summary of how Nordix Systems protects customer data. For deeper diligence — DPIA support, SIG questionnaires, architecture diagrams — contact your account owner.
Data residency
Nordix BIOS runs on Amazon Web Services. Tenant data is stored in the AWS region closest to the customer. EU customers are hosted in eu-west-1 (Ireland) by default; LATAM customers in sa-east-1 (São Paulo). We do not move tenant data across regions without a documented contractual reason.
Encryption
All traffic between clients and Nordix BIOS is encrypted with TLS 1.2 or higher. All data at rest — PostgreSQL, S3, queues, logs — is encrypted with AWS-managed KMS keys. Secrets are stored in AWS Secrets Manager and rotated.
Multi-tenant isolation
Every production table that holds tenant-scoped data carries a tenant_id column and is protected by PostgreSQL row-level security policies. The connection a request runs on is bound to the calling tenant before any query executes. There is no application-layer "WHERE tenant_id = ?" filter you have to remember to add — the database enforces it.
Compliance roadmap
- GDPR (EU) — ready. Data processing agreement available. Subject access and deletion requests supported.
- LGPD (Brazil) — ready. Aligned with GDPR scope; Portuguese-language DPA on request.
- SOC 2 Type II — in progress. Targeted readiness completion in late 2026.
Subprocessors
We use a small, audited list of subprocessors to operate Nordix BIOS:
- Amazon Web Services — infrastructure, storage, compute.
- Stripe — payment processing. Card data never touches Nordix servers.
- Postmark and Amazon SES — transactional email.
- Amazon Pinpoint — SMS and WhatsApp routing.
- OpenAI and Anthropic — model inference for selected agent tasks, under enterprise data processing terms with no training on customer data.
Full list with regions and purposes is in the DPA. We update it whenever it changes, with 30 days' notice.
Vulnerability disclosure
If you find a security issue, please email security@nordixsystems.com. We respond within one business day. We do not currently run a public bounty program, but we acknowledge researchers in our hall of fame and offer Nordix credit for valid reports.
Please do not test against production tenants. We can stand up a sandbox tenant for coordinated testing on request.
Frequently asked questions
Where is my tenant data stored?
EU customers are hosted on AWS eu-west-1 (Ireland) by default; LATAM customers on sa-east-1 (São Paulo). Data does not leave the assigned region without a documented contractual reason. We can support additional regions for enterprise contracts on request.
Does Nordix BIOS train its models on our data?
No. We use OpenAI and Anthropic under enterprise data processing terms that explicitly forbid training on customer data. We also do not fine-tune shared models on tenant content. Per-tenant agent customization happens at the prompt and tool layer, not by re-training a model.
How is PII handled in agent conversations?
Conversations are stored encrypted, scoped to the tenant, and accessible only to authorized tenant users. Sensitive fields — card numbers, government IDs — are redacted from logs. You can request deletion of any conversation under GDPR and LGPD subject rights. We honor deletion within 30 days.
What happens if the underlying cloud has an outage?
Nordix BIOS is deployed multi-AZ within the customer's primary region. Critical state is replicated to a secondary region for disaster recovery. Our recovery time objective is four hours and recovery point objective is one hour. Customers on enterprise plans get tighter SLAs.
Start with one message.
Tell Olly what to automate first. We reply within one business day with a 20-minute scoping call.
Glass preview
Your first operating thread
Real chat · opens in WhatsApp