Enterprise Security

Compliance & Security

Built from the ground up for regulated industries. HIPAA, PCI-DSS, GDPR, and SOC 2 compliance features are native to the platform, not afterthoughts.

HIPAAReady

PCI-DSSCompliant

GDPRCompliant

SOC 2Type II

Compliance Frameworks

HIPAA

Health Insurance Portability and Accountability Act

US federal law protecting sensitive patient health information from disclosure without consent.

Nexion Features

HIPAA Safe Harbor de-identification (18 identifiers)
PHI auto-detection and protection
Encryption at rest and in transit (AES-256)
Strict resource-level RBAC (BAA requirement)
Comprehensive audit logging for all access
Business Associate Agreement (BAA) alignment
Data retention policies

HealthcareHealth InsuranceHealthcare ITPharmaceutical

Requirements Coverage

Administrative SafeguardsBuilt-in

Physical SafeguardsCloud Provider

Technical SafeguardsBuilt-in

Breach NotificationSupported

PCI-DSS

Payment Card Industry Data Security Standard

Security standard for organizations handling branded credit cards from major card schemes.

Nexion Features

Credit card number tokenization
PAN truncation support (first 6, last 4)
Cardholder data isolation in dedicated pods
Network segmentation via Data Pods
Strong access control measures
Encryption of cardholder data
Audit trail for all access

RetailE-commerceFinancial ServicesPayment Processing

Requirements Coverage

Build Secure NetworkBuilt-in

Protect Cardholder DataBuilt-in

Vulnerability ManagementSupported

Access ControlBuilt-in

Network MonitoringBuilt-in

Security PolicySupported

SOC 2

Service Organization Control 2

Auditing procedure ensuring service providers securely manage data to protect privacy.

Nexion Features

Comprehensive audit logging
Access control and authentication
Change management tracking
Incident response procedures
Availability monitoring
Confidentiality controls

SaaSCloud ServicesData ProcessorsEnterprise Software

Requirements Coverage

SecurityBuilt-in

AvailabilitySLA 99.9%

Processing IntegrityBuilt-in

ConfidentialityBuilt-in

PrivacyBuilt-in

45 CFR §164.514(b)(2)

HIPAA Safe Harbor De-identification

Nexion detects and protects all 18 HIPAA Safe Harbor identifiers at runtime, before data is persisted. Choose from 6 protection methods based on your use case.

MASK

Partial masking

***-***-1234

HASH

SHA-256 hash

a8f5f167...

REDACT

Full removal

[REDACTED]

ENCRYPT

AES-256

gAAAABl7...

TOKENIZE

Token vault

tok_xxxxx

SKIP

Exclude field

(removed)

18 Safe Harbor Identifiers × 6 Protection Methods

Complete mapping of HIPAA-required identifiers to Nexion protection methods

#	Identifier	MASK	HASH	REDACT	ENCRYPT	TOKENIZE	SKIP
1	Names	✓	✓	✓	✓	✓	✓
2	Geographic data (< state)	✓	—	✓	—	—	✓
3	Dates (except year)	✓	—	✓	—	—	✓
4	Phone numbers	✓	✓	✓	✓	✓	✓
5	Fax numbers	✓	✓	✓	✓	✓	✓
6	Email addresses	✓	✓	✓	✓	✓	✓
7	Social Security numbers	—	✓	✓	✓	✓	✓
8	Medical record numbers	—	✓	✓	✓	✓	✓
9	Health plan IDs	—	✓	✓	✓	✓	✓
10	Account numbers	—	✓	✓	✓	✓	✓
11	Certificate/license numbers	—	✓	✓	✓	✓	✓
12	Vehicle identifiers	—	✓	✓	—	✓	✓
13	Device identifiers	—	✓	✓	—	✓	✓
14	URLs	—	✓	✓	—	—	✓
15	IP addresses	—	✓	✓	—	—	✓
16	Biometric identifiers	—	—	✓	—	—	✓
17	Full-face photographs	—	—	✓	—	—	✓
18	Other unique identifiers	—	✓	✓	—	✓	✓

✓ = Recommended for this identifier type |— = Not recommended (may expose partial data or not applicable)

Claims Analytics

SSNTOKENIZE

NameMASK

DOBREDACT

MRNHASH

Analytically useful, no re-identification possible

Research Export

NamesSKIP

PhotosSKIP

IP AddressSKIP

All PHIREDACT

Fully de-identified for external sharing

Clinical Operations

Patient IDTOKENIZE

Medical RecordsENCRYPT

DiagnosisENCRYPT

Provider NotesENCRYPT

Accessible with authorization, full audit trail

Strict Resource-Level RBAC

BAA/HIPAA Compliant

Nexion implements strict Role-Based Access Control at the resource level, a key requirement for BAA/HIPAA compliance. Every API endpoint enforces granular permissions based on resource type, action, and user role.All permission checks are enforced at API level.

9 Resource Types Protected

Data PodsPipelinesSourcesConnectorsSchedulesGovernanceUsersRolesOrganizations

6 Action Types

READWRITEDELETEEXECUTEADMINAPPROVE

Role	Data Pods	Pipelines	Governance	Users
ADMIN	Full Access	Full Access	Full Access	Full Access
ENGINEER	Read, Write, Execute	Read, Write, Execute	Read, Write	Read Only
ANALYST	Read, Execute	Read, Execute	Read Only	No Access
VIEWER	Read Only	Read Only	Read Only	No Access

Custom Roles: Beyond the default role hierarchy, administrators can create custom roles with fine-grained permissions for specific resources. This enables scenarios like "Pipeline Viewer" who can only read specific pipelines, or "Data Steward" with governance-only write access.

Security Architecture

Enterprise-grade security controls built into every layer of the platform.

Data Protection

Encryption at Rest

AES-256 encryption for all stored data

Encryption in Transit

TLS 1.3 for all data transfers

Key Management

Integration with Azure Key Vault, AWS KMS

Data Masking

6 configurable protection methods

Access Control

Strict Resource-Level RBAC

Granular permissions per resource type and action (READ, WRITE, DELETE, EXECUTE, ADMIN)

Role Hierarchy

4-tier role system: ADMIN > ENGINEER > ANALYST > VIEWER

Custom Roles

Define custom roles with specific permissions per resource

SSO Integration

SAML 2.0, OAuth 2.0, OpenID Connect

MFA Support

Multi-factor authentication required

API Key Management

Scoped API keys with rotation

Audit & Monitoring

Comprehensive Audit Logs

All actions logged with user, timestamp, and details

Real-time Monitoring

Pipeline execution monitoring and alerts

Anomaly Detection

Unusual access pattern detection

Compliance Reports

Exportable audit reports

Infrastructure

Cloud-Native

Deployed on your Azure, AWS, or GCP account

Network Isolation

VNet/VPC integration, private endpoints

Disaster Recovery

Automated backups, cross-region replication

High Availability

99.9% SLA with redundant architecture

Enterprise Infrastructure

Azure Infrastructure Security

Every Azure resource is configured with compliance-grade security settings. Private Endpoints, HSM-backed keys, and 365-day audit retention are standard.

Azure Key Vault

✓Premium SKU (HSM-backed)
✓Purge protection enabled
✓90-day soft delete
✓RBAC authorization
✓Private Endpoints available

PostgreSQL

✓SSL/TLS enforced
✓35-day backup retention
✓Geo-redundant backups
✓Zone-redundant HA (prod)
✓Connection audit logging

Storage Account

✓TLS 1.2 minimum
✓HTTPS only
✓Blob versioning enabled
✓90-day soft delete
✓Geo-redundant (GRS)

Audit Logging

✓365-day retention
✓Key Vault audit events
✓Database query logs
✓Storage R/W/D operations
✓App Service HTTP logs

Redis Cache

✓Premium SKU
✓TLS 1.2 minimum
✓Non-SSL port disabled
✓VNet integration
✓Credentials in Key Vault

Network Security

✓Private Endpoints (optional)
✓Private DNS zones
✓IP whitelisting
✓NSG rules
✓No public internet exposure

Encryption Everywhere

At Rest

Storage AccountAES-256

PostgreSQLAES-256

Key VaultHSM-backed

In Transit

All HTTPS trafficTLS 1.2+

Database connectionsTLS 1.2+

Redis connectionsTLS 1.2+

Your Cloud, Your Data

PaaS Deployment Model

Nexion runs as a managed platform on your cloud infrastructure. Your data never leaves your cloud account, maintaining full control and compliance.

Data stays in your cloud (Azure, AWS, GCP)
Your encryption keys in your Key Vault
VNet/VPC isolation with private endpoints
No data egress to third parties

Cost Model

Nexion PlatformSubscription

Monthly or annual billing

Cloud InfrastructureDirect to provider

Azure, AWS, or GCP - pay as you use

Ready for compliant data operations?

Talk to our compliance team about your requirements.

Request Demo Contact Compliance Team