Your invoice data is sensitive. We treat it that way. Built with security-first architecture, hosted in India, and designed for enterprise compliance requirements.
Data at rest
Data in transit
Data residency
Your data stays yours
Multiple layers of security ensure your financial data remains confidential and protected at every stage.
All invoice data, extracted fields, and documents are encrypted using AES-256 encryption. Even if storage is compromised, data remains unreadable without encryption keys.
All data transmission uses TLS 1.3, the latest encryption protocol. API calls, file uploads, and dashboard access are all encrypted end-to-end.
Encryption keys are managed through Google Cloud KMS with automatic rotation. Keys are never stored alongside encrypted data.
Invoice documents and extracted data are stored in Google Cloud Storage with redundancy across multiple availability zones within India.
Every access to your data is logged with timestamp, user ID, and action performed. Audit logs are retained for 12 months and available on request.
Infrastructure is protected by Google Cloud's enterprise firewall, DDoS protection, and intrusion detection systems monitoring 24/7.
Complete transparency on what happens to your data at each step.
TLS 1.3 encrypted
AES-256 encrypted
Isolated environment
GSTIN, duplicates
Encrypted transfer
We're building Nexum to meet the highest compliance standards for enterprise customers.
All customer data is stored exclusively in Google Cloud's Mumbai (asia-south1) region. Data never leaves India.
Real-time GSTIN validation against government portal. HSN code verification. Tax calculation checks.
Complete audit trail for every invoice — upload, extraction, validation, approval, export. Meets statutory audit requirements.
Configurable retention policies. Delete data on request. Export your data anytime in standard formats.
Clear policies on how we handle your data. No hidden terms.
| Policy | Our Commitment |
|---|---|
| Data Ownership | You own your data. We process it on your behalf. You can export or delete it anytime. |
| AI Training | Your invoice data is never used to train our AI models or any third-party models. |
| Third-Party Sharing | Your data is never sold, shared, or disclosed to third parties except as required by law. |
| Sub-Processors | We use Google Cloud (infrastructure), Google Document AI (OCR), and Anthropic Claude (AI reasoning). All bound by DPAs. |
| Data Retention | Default 7 years (for statutory compliance). Configurable per customer. Deleted data is purged within 30 days. |
| Data Export | Export all your data in JSON/CSV format anytime. No lock-in. |
| Data Deletion | Request deletion anytime. Data is permanently removed from all systems within 30 days. |
| Breach Notification | In the unlikely event of a data breach, we notify affected customers within 72 hours. |
| Employee Access | Nexum employees can only access customer data with explicit permission for support purposes. All access is logged. |
We leverage Google Cloud's enterprise-grade infrastructure for reliability, security, and compliance.
All data stored in GCP's asia-south1 region. Compliant with India's data localization requirements for financial data.
Multi-zone deployment with automatic failover. 99.9% uptime SLA. Regular backups with point-in-time recovery.
Automated backups every 6 hours. Cross-region backup replication. Recovery time objective (RTO) under 4 hours.
Auto-scaling infrastructure handles traffic spikes seamlessly. Process thousands of invoices without performance degradation.
24/7 infrastructure monitoring. Real-time alerts for anomalies. Performance metrics tracked and optimized continuously.
Inherits Google Cloud's SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, and PCI DSS certifications.
Strict access controls ensure only authorized personnel can access your data.
Define roles (Admin, Approver, Viewer) with granular permissions. Users only see what they need to see.
MFA available for all accounts. Enforce MFA for admin accounts. Supports authenticator apps and SMS.
Automatic session timeout after inactivity. View active sessions. Remote logout from all devices.
Complete audit log of all user actions. Who did what, when. Export logs for compliance reporting.
SAML 2.0 SSO integration available for enterprise customers. Connect with your existing identity provider.
Restrict access to specific IP addresses or ranges. Ideal for enterprises with fixed office networks.
API access via secure tokens. Token rotation supported. Rate limiting prevents abuse.
Our team cannot access your data without explicit permission. All support access is logged and auditable.
We're happy to discuss our security practices in detail, conduct security reviews, or address specific compliance requirements for your organization.