Security

1. Encryption

• In transit: all traffic between the user's browser and our infrastructure travels over TLS 1.3 with modern cipher suites. We do not accept unencrypted connections.
• At rest: uploads, generated renders and user data are stored with AES-256. Keys are managed via the cloud provider's KMS.
• Passwords: passwords are stored using strong hashing and are not recoverable; instead, a single-use reset-link flow is initiated.

2. Infrastructure

Neexis Render runs on Google Cloud Platform, primarily in the europe-west9 (Paris) region so that personal data of EU users remains, by default, within the EEA.

• Network isolation via VPC and restrictive firewall rules.
• Administrative server access only via MFA-authenticated bastions with full audit logging.
• Immutable images and reproducible deployments; any production change is tracked in source control.

3. Multi-tenant user isolation

Each user has their own isolated storage bucket within the object provider. A user's models, images and renders are not accessible from another user's account, not even by mistake: isolation is enforced at the IAM level, not only at application level.

4. Identity, authentication and access control

• Sign-in by password or by Google OAuth.
• For the internal team, access to systems containing personal data requires multi-factor authentication and is granted following the principle of least privilege.
• Production credentials and secrets are kept in an encrypted secret manager; never in code repositories.
• Session tokens expire and can be revoked from the account itself.

5. No AI training on your content

As also detailed in the Privacy Policy and Terms of Service: Neexis Render does not use your uploads or generated renders to train AI models, either our own or third-party.

When we process content through generative-model providers (e.g. Google's Gemini), we do so in inference mode only, under contracts that prohibit using content as training data. Files are transmitted encrypted and are not retained by the provider beyond the time needed to return the result.

6. Backups and recovery

• Periodic encrypted backups of relational databases and object storage.
• Backups are stored in locations separate from the operational base.
• We test restoration procedures so that disaster recovery is real, not just theoretical.

7. Monitoring and logging

• Application, infrastructure and authentication logs are centralized; relevant alerts are notified to the team in real time.
• Health and availability metrics continuously monitored (CPU, latencies, errors).
• Detection of anomalous patterns (cascading failed login attempts, traffic spikes, unusual API usage).

8. Payments

Payments are processed via Stripe. Full card data never touches Neexis Render servers: it is sent directly to Stripe (PCI-DSS) from the user's browser via tokenized secure elements.

9. Incident management

In the event of a security incident that may affect your data:

• We trigger an internal containment, investigation and mitigation process.
• If the incident poses a risk to user rights, we notify the Spanish Data Protection Agency within 72 hours pursuant to Article 33 of the GDPR.
• We inform affected users without undue delay where required under Article 34 of the GDPR.

10. Responsible disclosure

If you discover a vulnerability in Neexis Render, please report it to us privately before making it public, so we can investigate and fix without putting other users at risk.

Channel: [email protected] with the subject "Security report". We will endeavor to respond within a reasonable timeframe. We sincerely appreciate the security community's collaboration.

11. Regulatory compliance

• GDPR (Regulation (EU) 2016/679), details on how we process personal data are in the Privacy Policy.
• LOPDGDD (Organic Law 3/2018), additional to GDPR for Spain.
• LSSI (Law 34/2002 on information-society services and e-commerce).
• ISO 27001-certified providers (Google Cloud, Stripe) for external components.

12. Contact

For any question or security report: [email protected].