Security
Last updated: June 15, 2025
Security is foundational to Nexus Suite. We designed the system with a local-first, zero-knowledge architecture so your code and data stay under your control. This page describes our security practices, encryption standards, and how to report vulnerabilities.
1. Zero-Knowledge Sync
When Pro and Studio tier users enable sync, all data — settings, skills, and memory — is encrypted on the client device before being transmitted to our servers. The encryption key is derived from your password and never leaves your device.
Our servers store only encrypted blobs. We cannot decrypt, read, or access the plaintext content of your synced data. This zero-knowledge architecture means that even in the event of a server breach, your synced data remains protected.
2. Authentication
JWT-based authentication
All authenticated API requests use JSON Web Tokens (JWT) signed with RS256 asymmetric keys. Access tokens expire after 15 minutes. Refresh tokens are valid for 30 days and are rotated on each use — the previous token is immediately invalidated.
Password security
Passwords are hashed using Argon2id with 64 MB memory cost, 3 iterations, and a unique 16-byte salt per password. We enforce a minimum password length of 12 characters. Accounts are temporarily locked after 5 failed login attempts within 15 minutes.
Device code flow
NexusIDE and NexusCore CLI authenticate using the OAuth 2.0 Device Code Flow. Users authorize in a browser, and credentials are stored in the operating system's secure credential storage (macOS Keychain, Windows Credential Manager, Linux Secret Service).
Enterprise SSO
Studio tier organizations can configure SAML 2.0 Single Sign-On with their corporate identity provider. All SSO authentication events are logged to the audit log.
3. Encryption Standards
- Data at rest: AES-256 encryption for all stored data
- Data in transit: TLS 1.2+ for all connections
- Password hashing: Argon2id (64 MB memory, 3 iterations, 1 parallelism)
- Token signing: RS256 (RSA with SHA-256) for JWTs
- API key storage: AES-256-GCM encryption for stored cloud provider API keys
- Sync encryption: Client-side encryption with user-derived keys (zero-knowledge)
- Telegram bridge: End-to-end encryption via X25519 key exchange + AES-256-GCM
4. Infrastructure Security
- API rate limiting per user tier and per IP address to prevent abuse
- Redis-backed JWT blacklist for immediate token revocation
- Stripe webhook signature verification on all payment events
- Idempotent webhook processing to prevent duplicate operations
- Structured logging and monitoring with alerting on anomalies
- Regular dependency updates and vulnerability scanning
5. Cloud Model Brokering
When using cloud model brokering (Pro and Studio tiers), Nexus Suite proxies requests to cloud AI providers. We do not store or log the content of your requests or responses — the service operates as a pass-through proxy. Your API keys are stored encrypted at rest using AES-256-GCM.
6. Responsible Disclosure
We take security vulnerabilities seriously. If you discover a security issue in any Nexus Suite product or service, please report it responsibly.
How to report
Email security@nexus-suite.dev with a description of the vulnerability, steps to reproduce, and any relevant proof-of-concept code.
What to expect
- Acknowledgment within 48 hours
- Regular updates on our investigation progress
- Credit in our security advisories (if desired)
- We will not take legal action against researchers who follow responsible disclosure practices
Scope
The following are in scope: api.nexus-suite.dev, nexus-suite.dev, NexusCore CLI, NexusIDE, and all official Nexus Suite GitHub repositories.
7. Audit Logging
Studio tier organizations have access to comprehensive audit logs covering all security-relevant events: sign-in/sign-out, subscription changes, team membership changes, role assignments, SSO configuration, MCP server provisioning, and skill publishing. Audit logs are retained for a minimum of 1 year and can be exported in JSON or CSV format.
8. Contact
For security questions or concerns, contact us at security@nexus-suite.dev.
Changelog
- June 15, 2025 — Initial publication of Security page.