Built on trust.
Secured for scale.
Enterprise-grade security, privacy, and compliance infrastructure — built for agencies and the clients they serve.
Certifications & Compliance
Nomad XI undergoes rigorous independent audits and maintains certifications across major global privacy and security frameworks. These are not checkboxes — they represent continuous operational commitments backed by third-party verification.
SOC 2 Type II
We undergo annual SOC 2 Type II assessments. This attestation verifies that our internal controls for security, availability, and confidentiality meet the rigorous standards established by the AICPA.
EU Data Privacy Framework
We maintain certification under the EU‑U.S. Data Privacy Framework (EU‑U.S. DPF), including the UK Extension and the Swiss‑U.S. DPF — ensuring lawful transfer mechanisms for personal data between the EU, UK, Switzerland, and the United States.
GDPR & Global Privacy Laws
We comply with the GDPR, U.S. state privacy laws (CCPA/CPRA, Texas TDPSA, and 15+ others), CAN-SPAM, and similar international regulations. We also provide you the tools to remain compliant across your entire client network.
HIPAA Readiness
Securely manage Protected Health Information (PHI) with enterprise-grade encryption. We support Business Associate Agreements (BAAs) to ensure your agency meets all regulatory standards for healthcare clients.
| Framework | Scope | Status |
|---|---|---|
| SOC 2 Type II | Security, Availability, Confidentiality | Active |
| EU-U.S. DPF | EU, UK, Switzerland → US data transfers | Certified |
| GDPR | EEA, UK residents | Compliant |
| CCPA / CPRA | California residents | Compliant |
| HIPAA | PHI for healthcare sub-accounts | BAA Ready |
| CAN-SPAM / TCPA | Email & SMS marketing compliance | Compliant |
| Australian Privacy Act | Australian residents | Compliant |
| PIPEDA | Canadian residents | Compliant |
The Four Pillars of Security
Our security program is structured around four independent pillars, each managed and audited separately. Together they form a layered defense-in-depth architecture that protects your data at every level.
- Hosted on Google Cloud Platform (GCP)
- AES-256 encryption at rest
- TLS 1.2+ encryption in transit
- DDoS mitigation & Web Application Firewall (WAF)
- Multi-region redundancy & automated failover
- 99.9% uptime SLA
- Two-Factor Authentication (2FA) enforcement
- Granular user permissions & role management
- Full audit logs of all account activity
- Single Sign-On (SSO) support
- Session timeout & concurrent session controls
- Mandatory employee background checks
- Continuous security awareness training
- Vendor Risk Management (VRM) protocols
- Least-privilege access controls for all staff
- Annual security policy reviews
- Regular third-party penetration testing
- Responsible Disclosure Program
- Automated vulnerability scanning (CI/CD)
- Shift-Left security integrated in development
- OWASP Top 10 controls enforced
GDPR & Global Privacy
Nomad XI is committed to full compliance with the General Data Protection Regulation (GDPR), U.S. State Privacy Laws (CCPA, CPRA, Texas TDPSA, and 15+ others), and all applicable international privacy regulations. We not only comply ourselves — we build the tools that help you comply with your own customer base.
Capture, store, and audit consent records across your entire sub-account network. Built-in consent widgets, opt-in/opt-out tracking, and timestamped records satisfy GDPR Article 7 and U.S. state law requirements.
Fulfill Data Subject Access Requests (DSARs) directly from your dashboard. Export contact data in machine-readable formats to satisfy portability rights under GDPR and CCPA.
Process deletion requests for individual contacts on demand. Deletion is propagated across all platform services and confirmed in writing. We cannot reverse confirmed deletions.
Agency owners can manage compliance configurations across all client sub-accounts from a single control panel — including custom privacy notices, cookie consent banners, and data retention policies.
Customers subject to GDPR may execute a Data Processing Agreement (DPA) with us. Healthcare customers requiring HIPAA compliance may execute a Business Associate Agreement (BAA). Contact dpo@nomadxi.com to request either document.
HIPAA Readiness
For agencies and businesses operating in the healthcare space, Nomad XI provides a HIPAA-ready environment to securely manage Protected Health Information (PHI). This includes enterprise-grade encryption, strict access controls, and full Business Associate Agreement (BAA) support.
HIPAA compliance requires execution of a signed Business Associate Agreement before storing or processing PHI on our platform. Contact dpo@nomadxi.com to initiate the BAA process.
- AES-256 encryption of all PHI at rest
- TLS 1.2+ encryption of all PHI in transit
- Role-based access controls limiting PHI exposure to authorized personnel only
- Audit logs of all access to PHI-containing records
- Automatic session timeout for inactive users with PHI access
- Breach notification protocols meeting the HIPAA Breach Notification Rule
- Full BAA executed prior to any PHI processing
Important: Enabling HIPAA features requires both a signed BAA and proper sub-account configuration. Nomad XI is not responsible for PHI exposure resulting from misconfigured account settings or unauthorized third-party integrations connected by the customer.
Data Handling Principles
We apply a strict set of internal data handling principles that go beyond minimum regulatory requirements. These principles guide every decision we make about how data is collected, stored, processed, and deleted.
- Data Minimization — We collect only the data necessary to provide the Services you have subscribed to. We do not collect speculative or precautionary data.
- Purpose Limitation — Data collected for one purpose is not reused for an incompatible purpose without appropriate legal basis or your consent.
- Storage Limitation — Personal data is not retained beyond what is necessary for its stated purpose. Retention schedules are defined and enforced per data category.
- Integrity & Confidentiality — All data is protected with appropriate technical and organizational security measures throughout its lifecycle.
- Accuracy — We provide you tools to keep your data up to date. We process correction requests within 30 days.
- Accountability — We maintain documented evidence of our data processing activities, legal bases, and compliance controls available on request from supervisory authorities.
- No Data Sales — We do not sell your Personal Information. We do not sell your customers' Personal Information. We do not sell SMS opt-in consent data under any circumstances.
AI & Data Ethics
Nomad XI integrates artificial intelligence features to enhance platform performance and automate workflows. We hold ourselves to a strict set of AI ethics principles to ensure your data is never used in ways you haven't authorized.
We do not use your Personal Information — or your customers' Personal Information — to train generalized or publicly released AI models. Ever.
- Scoped AI Processing — AI features process your data only for the specific service you are using. Our instructions to AI sub-processors contractually limit their use of your data to that narrow scope.
- No Model Training on Your Data — Your data is never used to improve, fine-tune, or train generalized AI models shared across customers or released publicly.
- AI Sub-Processor Accountability — All AI sub-processors we work with are contractually bound to our data use limitations, security standards, and deletion requirements.
- Transparency — Features powered by AI are clearly identified. You may contact dpo@nomadxi.com for a current list of AI sub-processors and their data use scope.
- No Automated Decision-Making — We do not make solely automated decisions that produce legal or similarly significant effects about you.
User Privacy Controls
We believe privacy is a setting, not a policy. Here are the controls available to you directly within your Nomad XI account:
Manage which types of communications you receive from us — including marketing emails, product updates, and security alerts — directly from your account settings or by contacting dpo@nomadxi.com.
Enable 2FA on your account to add a second layer of protection against unauthorized access. We support both authenticator apps and SMS-based 2FA.
You may request deletion of your account and all associated data. Upon confirmed cancellation, all data — including contacts, content, automations, and purchased phone numbers — is permanently and irreversibly deleted. Export your data first.
Exercise your right to opt out of our use of your Personal Information for targeted advertising or cross-context behavioral advertising by contacting us at dpo@nomadxi.com or using our "Do Not Sell or Share My Information" mechanism.
Data Rights & Requests
We honor all data subject rights requests under GDPR, CCPA/CPRA, and applicable U.S. state privacy laws. Here's how the process works:
- Submit your request — in writing to dpo@nomadxi.com — include your full name, email address, and the nature of your request
- Identity verification — we will ask you to verify your identity before processing any request; the verification method depends on the sensitivity of the data involved
- Response timeline — we acknowledge all requests within 5 business days and fulfill them within 30 days; complex requests may require up to 45 days with notice
- Appeal rights — if we deny your request or you are unsatisfied with our response, you may appeal by replying to our denial notice; we will reconsider and provide written reasoning
- Supervisory authority complaints — you have the right to lodge a complaint with your local data protection authority at any time; for EEA residents, contact your national DPA; for UK residents, the ICO at ico.org.uk
You may designate an authorized agent to submit requests on your behalf. We may require written proof of the agent's authorization and may independently verify your identity in addition to verifying the agent's authorization.
Incident Response
Despite our extensive preventive controls, no system is 100% immune to security incidents. We maintain a documented, tested Incident Response Plan (IRP) to minimize impact and ensure timely notification when a security event occurs.
- 24/7 monitoring — automated alerting and on-call security staff monitor for anomalous activity around the clock
- Containment — upon detecting a confirmed incident, affected systems are isolated within a defined time window to prevent lateral spread
- Assessment & forensics — we conduct a root-cause analysis to determine the scope, affected data categories, and number of individuals impacted
- Regulatory notification — we notify relevant supervisory authorities within 72 hours of confirming a breach, as required by GDPR Article 33
- Individual notification — where a breach is likely to result in high risk to individuals, we notify affected users without undue delay, per GDPR Article 34 and applicable U.S. state breach notification laws
- Remediation — we implement corrective measures and a post-incident review to prevent recurrence
If you discover a potential security vulnerability in our platform, please report it responsibly to security@nomadxi.com. Do not publicly disclose until we have had a reasonable opportunity to investigate and remediate. We acknowledge all reports within 3 business days.
Sub-Processors
We engage trusted third-party sub-processors to help us deliver the platform. All sub-processors are contractually bound to our data protection standards, including data minimization, security controls, and deletion obligations. We conduct regular Vendor Risk Management (VRM) reviews of all sub-processors.
Customers who have executed a Data Processing Agreement (DPA) with us may request a current list of our sub-processors by contacting dpo@nomadxi.com. We provide 30 days' notice of material sub-processor changes to DPA customers.
Categories of sub-processors we engage include: cloud infrastructure (hosting, storage, CDN), payment processing, SMS/voice carriers, email delivery, customer support tooling, security monitoring, and AI feature providers. Each is scoped to process only the data necessary for their specific function.
International Transfers
Nomad XI operates globally. We may transfer Personal Information between the United States and our affiliates, sub-processors, and service providers in other countries — including India — to operate efficiently, improve performance, and maintain redundancy.
All international transfers are conducted in accordance with applicable law. For data originating in the EEA, UK, or Switzerland, we rely on the following transfer mechanisms:
- EU-U.S. Data Privacy Framework (EU-U.S. DPF) — certified for EU-to-US transfers
- UK Extension to the EU-U.S. DPF — certified for UK-to-US transfers
- Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) — certified for Switzerland-to-US transfers
- Standard Contractual Clauses (SCCs) — used as a supplementary mechanism where applicable
We may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. The Federal Trade Commission has jurisdiction over our DPF compliance.
Contact Security Team
For security disclosures, DPA requests, BAA inquiries, or data rights questions, reach our dedicated security and privacy team: