Trust and Security
Transparent. Secure. Compliant by Design.
How we handle your business data with the seriousness it deserves.
All Systems Operational
SOC 2 Type II Aligned
GDPR & HIPAA Ready
ISO 27001
Last reviewed May 2026
NOMADXIPrivacy & SecurityTrust Center
How We Handle Your Data
No Data Sales. Ever.
We do not sell, rent, or share your business data with third parties. Your client lists, lead pipelines, and workflow data belong to you.
Encrypted in Transit and at Rest
All data transmitted to and from NomadXI systems uses TLS 1.2+ in transit and AES-256 at rest.
Principle of Least Privilege
Our team only accesses your systems with explicit permission and only the minimum access required to complete the agreed scope of work.
Regular Access Reviews
We conduct internal access reviews and revoke permissions whenever an engagement changes or concludes.
Our Certifications & Frameworks
Platform-level certifications backed by enterprise-grade infrastructure.
SOC 2 Type II
Annual independent audit of security controls
Audited & Verified
ISO 27001
Information security management standard
Certified
EU Data Privacy Framework
Lawful EU–US data transfer mechanisms
Certified
GDPR Ready
Full EU general data protection compliance
Compliant
HIPAA Compliance
Healthcare data protection standards
Ready
CCPA / CPRA
California consumer privacy rights
Compliant
Our Governing Policies
All foundational agreements governing how NomadXI operates, handles your data, and protects your rights.
Legal Agreement
Terms of Service
Your rights and obligations when using NomadXI platforms and services, including acceptable use, billing, SLAs, and dispute resolution.
View Document
Privacy RightsPrivacy Policy
How we collect, use, store, and protect your personal data including your rights under GDPR, CCPA/CPRA, and applicable privacy law.
View Document
Security ControlsPrivacy & Security
A detailed breakdown of our technical and organizational security measures, encryption standards, access controls, and infrastructure protections.
View Document
How We Protect Your Data
Enterprise-grade controls deployed at every layer of the NomadXI platform.
Data Protection
Encryption at Rest & In Transit
AES-256 encryption at rest. TLS 1.2 enforced for all data in transit. No plaintext data storage anywhere in our stack.
Identity & Access Management
RBAC, MFA enforcement, SSO support, and least-privilege access principles. Admin accounts audited quarterly.
Continuous Monitoring
24/7 SIEM monitoring, real-time intrusion detection, automated anomaly alerts, and security event logging with 90-day retention.
Infrastructure
DDoS & WAF Protection
Enterprise-grade Web Application Firewall and DDoS mitigation at the network edge. Automatic traffic scrubbing on all endpoints.
Annual Penetration Testing
Third-party penetration testing by certified professionals. Vulnerability findings triaged, tracked, and remediated under defined SLAs.
Incident Response Plan
Documented IR plan with defined RTO/RPO targets. Incidents contained, investigated, remediated, and disclosed per regulation.
Operations
Security Training
Mandatory security awareness training at hire and annually. Phishing simulations and background checks for all personnel with system access.
Data Backup & Recovery
Automated daily backups with geographic redundancy. Point-in-time recovery. Backup integrity verified through regular restoration tests.
Secure Development (SDLC)
Security integrated across the full development lifecycle. Code reviews, SAST/DAST scanning, dependency audits, and pre-production validation.
Compliance Frameworks
Independent verification of our security and privacy practices against globally recognized frameworks. Detailed implementation notes for the certifications shown above.
SOC 2 Type II
Audited & Verified
Annual independent audit of our security, availability, and confidentiality controls by a licensed CPA firm under AICPA Trust Services Criteria.
ISO 27001
Certified
Our information security management system is aligned with ISO/IEC 27001:2022, the international standard for information security management.
GDPR
Compliant
Full compliance with the EU General Data Protection Regulation. DPAs available for enterprise customers. Data subject rights fulfilled within 30 days.
HIPAA
Aligned
HIPAA-ready infrastructure and BAA available for healthcare-adjacent customers. Administrative, physical, and technical safeguards implemented.
CCPA / CPRA
Compliant
California Consumer Privacy Act and California Privacy Rights Act compliant. Opt-out mechanisms, deletion rights, and disclosure obligations honored.
EU Data Privacy Framework
Certified
Certified under the EU–US Data Privacy Framework for lawful transatlantic data transfers. All transfers governed by Standard Contractual Clauses (SCCs).
How We Handle Your Data
A transparent breakdown of our data collection, processing, retention, and residency practices.
Data Residency
Primary data stored in AWS US-East. EU customers may request EU-region storage to comply with data sovereignty requirements.
Retention Policy
Customer data retained for the duration of the service agreement plus 90 days. Deleted securely per NIST 800-88 upon account closure.
Data Minimization
We collect only data necessary to provide the service. No sale or sharing of personal data with third parties for advertising.
Cross-Border Transfers
All international transfers governed by Standard Contractual Clauses (SCCs) or the EU–US Data Privacy Framework.
AI Model Training
Your data is never used to train AI models without explicit opt-in consent. No customer data shared with third-party AI providers without authorization.
Your Data Rights
Data Portability
Export all your data at any time via the platform dashboard or written request. Exports delivered within 30 days.
Right to Erasure
Deletion requests processed within 30 days in compliance with GDPR Article 17 and CCPA. Submit to privacy@nomadxi.com.
Data Subject Rights (DSAR)
Access, rectification, restriction, and portability requests acknowledged within 5 business days and fulfilled within 30 days.
Uptime & Performance SLAs
Our platform is engineered for high availability with transparent, published service level commitments.
99.9%
Platform Uptime SLA
<200ms
API Response P95
48h
Security Disclosure
1BD
Security Inquiry Response
90-Day Platform Uptime (as of May 2026)99.98%
No incidents
Scheduled maintenance
* Contractual SLA: 99.9% | Actual trailing 90-day performance: 99.98%
Authorized Subprocessors
NomadXI uses a limited, vetted set of third-party providers. All are bound by Data Processing Agreements and must meet our security standards.
GoHighLevel (GHL)
CRM, marketing automation, funnel management, and client portal infrastructure
US
Amazon Web Services
Cloud infrastructure, compute, storage, networking
US & EU
Twilio / SendGrid
SMS, voice, and transactional email delivery
US
Stripe
Payment processing and billing infrastructure
US & EU
Cloudflare
CDN, DDoS protection, WAF, DNS management
Global
Google Workspace
Internal productivity and communication tools
US
PagerDuty
Incident management and on-call alerting
US
Datadog
Application performance and security monitoring
US
GitHub
Source code management and CI/CD pipeline
US
Subprocessor list last updated May 2026. Updated as changes occur. Enterprise customers may subscribe to change notifications at privacy@nomadxi.com. All subprocessors undergo annual security review.
Responsible AI Practices
NomadXI leverages AI to serve you — never to exploit your data.
No Training on Your Data
Customer data is never used to train, fine-tune, or improve any AI model without explicit opt-in written consent.
Third-Party AI Isolation
When AI providers are used, customer data is not stored, logged, or retained by the provider beyond the immediate request lifecycle.
Transparency by Default
Any AI-generated content or automated decisions that affect your account are disclosed. You always know when AI is involved.
Human Oversight
High-stakes automated decisions (account suspension, billing disputes) require human review. No fully autonomous adverse actions.
AI providers currently used: OpenAI API (language processing), integrated within GoHighLevel AI workflows. All providers are listed in our Authorized Subprocessors table above. No customer data is retained by any AI provider beyond the immediate request lifecycle.
Security & Privacy FAQ
Answers to the questions enterprise customers ask most during vendor evaluation.
Responsible Disclosure Program
Report a Vulnerability
We take security vulnerabilities seriously. If you discover a potential security issue, we encourage responsible disclosure. We commit to acknowledging your report within 48 hours, keeping you informed throughout the process, not pursuing legal action for good-faith reports, and recognizing your contribution publicly if desired.
- Email your findings to security@nomadxi.com
- Include steps to reproduce, impact assessment, and any proof-of-concept
- Allow us 90 days to investigate and remediate before public disclosure
- Receive acknowledgment within 48 hours and status updates throughout
Security Incident Log
A transparent record of security events. We disclose incidents proactively to maintain customer trust.
Clean
May 2026No security incidents reported. Platform uptime 99.98%. All systems operating normally.In the event of a future incident, this log will be updated within 72 hours of confirmation. Enterprise customers receive direct notification per their DPA. Request a DPA →