Your data, protected

Customer Data is transmitted over HTTPS/TLS in transit. At rest, data is held in encrypted database storage managed by our hosting platform, and selected sensitive fields — which may include customer personally identifiable information bundles and integration credentials — are additionally encrypted at the application layer using authenticated symmetric encryption (AES-GCM) before being written. Encryption keys are held outside the database and rotated as required. We use reasonable technical and organisational measures designed to protect Customer Data; no platform can guarantee absolute security.

Access to Customer Data inside the Service is governed by role-based permissions that you configure for your team. Roles such as owner, manager and staff control which areas of the Service each Authorised User can see and act on, and multi-location accounts can scope visibility per location. Two-factor authentication is available for sensitive accounts. On the Nexpura side, internal staff access to production systems is limited to personnel who reasonably need it to operate, secure or support the Service, is logged, and is subject to our internal access-control policies.

Authentication for the Service is provided by our authentication subprocessor (Supabase Auth). Passwords are hashed using industry-standard algorithms; raw passwords are never stored. Sessions use secure, signed tokens with a limited lifetime. We support email-based password reset, and account owners can require additional verification factors for sensitive actions.

All card processing for Nexpura subscriptions is handled by our payments subprocessor, Stripe. Stripe is responsible for collecting payment details, tokenising cards, processing subscription billing, and maintaining the payment-card-industry compliance posture for the cardholder data it handles. Nexpura does not store raw card numbers. Nexpura may receive limited billing information from Stripe — for example payment status, invoice details, subscription status, customer ID, card brand and the last four digits of a card — to operate billing features and surface them in your account.

The Service is built on a small, named set of trusted subprocessors. Each maintains its own privacy and security commitments, and we limit what we share with each provider to what is reasonably required to deliver the Service.

Vercel

Application hosting, deployment and edge delivery.

Supabase

Database, authentication and file storage.

Stripe

Payments, billing, subscriptions and invoices.

Resend

Transactional email (receipts, invoices, password resets, notifications).

Twilio

SMS, WhatsApp and phone notifications where enabled.

Anthropic

AI-assisted features where enabled.

OpenAI

AI-assisted features where enabled.

Our hosting platform performs automated database backups on a regular schedule, retained for a defined window. Application infrastructure is deployed across globally distributed edge locations and is architected for high availability with monitoring on critical paths. We do not guarantee uninterrupted service or complete recovery in every scenario — see §13 for the limits of what any platform can promise.

Customer Data remains yours. You retain ownership of the customer records, inventory, repair jobs, bespoke jobs, invoices and other records you enter into the Service. Account owners and managers can export a copy of tenant data in a portable format from inside the application, and account owners can request deletion of their tenant data, processed within the windows described in our Privacy Policy and Terms of Service.

Critical actions inside the Service — including inventory changes, invoice and refund events, customer-record changes, repair and bespoke job updates, team and permission changes, and selected settings updates — are recorded in an append-only audit trail. Each entry captures who performed the action, what changed, and when. Audit history is available to account owners and managers within their tenant for review.

We monitor dependencies and infrastructure for known security issues using automated tooling provided by our hosting and version-control platforms, apply security updates in a timely manner, and use code-review processes for changes to production code paths. We rely on the security posture of our subprocessors for the layers they own (such as the underlying compute, network and managed-service controls).

If we become aware of a security incident affecting the Service, we will investigate, take reasonable steps to contain and remediate the incident, and notify affected Customers without undue delay where required by law or by the contract with the Customer. Where the incident constitutes an eligible data breach under the Notifiable Data Breaches scheme of the Privacy Act 1988 (Cth), we will follow the notification procedure described in our Privacy Policy.

Security is a shared responsibility. You remain responsible for safeguarding your own account credentials, configuring user access appropriately for your team, keeping the devices and networks you use to access the Service reasonably secure, training your staff on safe use of the Service, and promptly notifying us at hello@nexpura.com of any suspected compromise. You also remain responsible for the data you enter into the Service, your relationships with End Customers, and your compliance with the laws applicable to your business.

Nexpura is operated under the laws of New South Wales, Australia, and we comply with the Privacy Act 1988 (Cth), including the Australian Privacy Principles and the Notifiable Data Breaches scheme. Card-level payment-industry compliance is maintained by our payments subprocessor (Stripe), which handles all card data. Nexpura does not currently hold formal SOC 2, ISO 27001, HIPAA or GDPR certifications. We will update this section if our certification posture changes.

No software platform can guarantee absolute security or perfect availability. To be clear about what this Security Statement does and does not promise, Nexpura does not guarantee: uninterrupted or error-free service; absolute security of any data or system; prevention of all unauthorised access; prevention of all data loss; complete recovery from any incident; compliance with every industry standard or regulatory regime; suitability for every regulated use case; or protection against customer-side error, phishing, malware or credential compromise. Nothing in this Security Statement creates a warranty, guarantee, service level agreement or contractual commitment unless expressly stated in a signed agreement.

If you believe you have identified a security issue or have a security concern about Nexpura, please contact us at hello@nexpura.com with the subject line "Security Concern — Nexpura" and as much detail as you can reasonably provide (steps to reproduce, affected URLs, screenshots). We ask that you do not publicly disclose the issue before giving us a reasonable opportunity to investigate and address it. We will acknowledge legitimate reports and work in good faith with reporters who follow this process.