Nimbus Security & Compliance

How Nimbus was Architected to Be Both Secure and Resilient

Is Nimbus secure?

From day one, we built Nimbus to be both secure and resilient. We have architected our platform from the bottom up with a cloud-native approach to our entire software development lifecycle. The result has been a scalable system, regularly assessed by internal and external penetration testing experts, both in the environment and against the application interfaces. No security system is perfect, but we believe that our investments in our security culture have paid substantial dividends, including better efficiency, a better customer experience, and the assurance that we will know quickly about and be able to quickly mitigate problems.

What about data?

At Nimbus, compliance with data protection rules is of paramount importance. We are not a data company: Nimbus does not earn any revenue from user data. We do not resell user data; we do not “enrich” user data. Some other bidders seek to protect only “valuable” data, deciding by themselves what information is important to protect and what is not. We do not take that approach, because we won’t presume to understand the relative value of any of your data - we protect it all. Our agreements do not allow us to do anything with user data you don’t want us to.

Our Culture of Security

Systems and Application Development

Nimbus’ security strategy begins with our CEO, COO, CTO, and all our engineers, developers, product architects and managers, working together with our CISO. The company’s commitment to building security into the software development lifecycle is a top priority. In addition to tightly controlling the authorization to access our separate development, staging, and production environments (through endpoint and network security, multi-factor authentication, and network and remote network access controls), our engineers, developers, and developer operations employees make every reasonable effort to maintain a secure working environment and the security of our code, applications, computing environments, and non-public information.

Our development process follows standard secure coding practices recommended by the open software security community, including groups such as the Open Web Application Security Project (OWASP). OWASP Secure Coding Practices include guidelines for the following:

Input Validation
Output Encoding
Authentication and Password Management
Session Management
Access Control
Cryptographic Practices

Error Handling and Logging
Data Protection
Communication security
System Configuration
Database Security
General Coding Practices

All externally developed applications used follow the same set of stringent requirements as our internally developed applications. These applications are also subject to a full suite of penetration and performance tests. Internal employees also submit all externally developed open-source applications through an extensive code review process to reduce the likelihood of introducing security vulnerabilities.

Data/Network/Application Security

All data included in Nimbus is encrypted in transit, and stored encrypted at rest in our cloud environment. All access to our cloud environment is governed by the principles of least privilege: all connections are controlled through VPN access protected by Single Sign-on, and time-based one-time password multi-factor authentication. With a heavily automated deployment system, audited regularly by automated configuration and vulnerability assessment tools, heavy use of cloud security tools and instrumentation, fine-grained entitlement and access controls, Nimbus has successfully attained AICPA SOC-1 Type II Certification, and we intend to enhance this certification regularly.

Configuration Management

Configuration is at the heart of any well-regulated computing environment. We use tools to continuously scan our environments testing all configurations, then highlight deviations from industry standards and best practice. This assures that poor or insufficient configuration changes are proactively highlighted to the engineering and security teams for the purpose of remediation, engineering, and deployment changes.

Vulnerability Assessment

We conduct periodic and ongoing vulnerability assessments using industry standard tools and techniques in order to identify any information security vulnerabilities in our information systems. These include the Amazon Web Services environment, as well as host-based vulnerability assessment agents. We use these results to guide our decisions about patch and configuration management, new software, and hardware purchases.

Information Security Training

All of our employees attend on-hire and annually recurring security awareness training, and role-specific training, such as secure coding training for all engineers and enhanced phishing awareness training for finance, is provided regularly. Our training is presented as in-person lectures, computer-based training modules, blog posts, and emails from management and our security team.

Penetration Testing

We conduct regular penetration tests using some of the best security companies in the world. Our strict rules state that no single company may conduct consecutive tests of the same environment (lest they become complacent), so we rotate testers and environments annually.

The Nimbus platform is a set of software services maintained and hosted in a distributed cloud-based hosting environment. It is secured through a variety of means that are similar to those of a well-segmented network within a company.

To guard against service unavailability and unauthorized access, we have taken steps to reduce the likelihood of service outages and unauthorized activity within the production environment that operates within the cloud service. These steps include industry best-practice tools and techniques including but not limited to:

Single Sign-On Authentication and time-limited, token-based access control
Strong (TOTP or FIDO-compliant) Multi-factor authentication to all environments
Firewalls and network segmentation
Network traffic and transaction anomaly detection

Data Compliance

Nimbus takes privacy seriously. Our privacy options and implementation are world class.

GDPR: Nimbus is fully GDPR-ready. Nimbus takes the position of a processor in your GDPR implementation. We operate under a Publisher-Nimbus Data Processing Agreement (DPA), which means that your data always stays completely under your control. Nimbus does not share your or your users’ data with anyone unless you decide to. We are also compliant with the IAB TCF protocols. You can learn more about our GDPR implementation and options here.

CCPA: Nimbus is fully CCPA-ready, and is built to allow you to maintain complete control of your and your users’ data. We do not share our clients’ data with anyone they do not specifically direct us to do so. You can read more about our CCPA implementation and options here.

Certifications and Memberships

Nimbus is a signatory to the EU, US and Swiss Privacy Shield certifications.

Nimbus is a member of the IAB EU’s Transparency Consent Framework (TCF).

Nimbus maintains a Data Processing Activities Report per GDPR EU guidelines.

Nimbus is a member of the IAB.

Nimbus has successfully attained AICPA SOC-1 Type II Certification.
You can request additional information from your Nimbus rep.