Home
SECURITY

Security policy — nex-flow.io

Bridge Base LLC (Wyoming, USA), trading as NexFlow
Effective May 17, 2026

Scope

This policy applies to all systems, services, and subdomains operated by Bridge Base LLC (trading as NexFlow), including:

  • nex-flow.io — marketing site, booking forms, and AI concierge.
  • app.nex-flow.io — customer portal, workflow dashboard, and credential management.
  • api.nex-flow.io — public API endpoints.

Third-party sub-processors (Stripe, Cloudflare, Neon, AWS, Vercel, OpenAI, Anthropic, Postmark, Sentry, PostHog, Upstash, Notion, Slack, Google Workspace, n8n Cloud) are covered by their own security policies and our Data Processing Agreements. See our sub-processor list for the current roster.

Responsible disclosure

If you believe you have found a security vulnerability in any NexFlow service, we want to hear from you. We ask that you:

  • Report the vulnerability to security@nex-flow.io or via our security.txt contact.
  • Provide enough detail to reproduce the issue — steps, affected endpoint, and impact.
  • Do not access, modify, or delete other users' data.
  • Do not degrade service availability (no DDoS, no brute force).
  • Allow us 90 days to remediate before public disclosure.

Safe harbour

We will not pursue legal action against researchers who follow the responsible disclosure guidelines above, even if the vulnerability results in unintentional access, provided:

  • The researcher acted in good faith and did not exploit the vulnerability for personal gain.
  • No customer data was exfiltrated, modified, or destroyed beyond what was necessary to demonstrate the issue.
  • The researcher complied with all applicable laws.

We recognise responsible disclosure as a critical contribution to internet security. Good-faith researchers are allies, not adversaries.

Security measures

  • Encryption at rest: Vendor API keys encrypted with AES-256-GCM via AWS KMS envelope encryption. Database encryption at rest on Neon (Postgres).
  • Encryption in transit: TLS 1.3 enforced on all endpoints. HSTS with one-year max-age and preload.
  • Authentication: Passkey-first (WebAuthn) with TOTP as fallback. Step-up re-authentication for credential rotation and billing changes.
  • Access control: Row-level security on all tenant data. Employee access to customer workspaces only on explicit invitation or during a support ticket with audit logging.
  • Audit logging: Append-only, seven-year retention, exportable from the portal.
  • Monitoring: Error tracking via Sentry (PII scrubbed). Product analytics via self-hosted PostHog (opt-out available).
  • Infrastructure: Cloudflare WAF and CDN on all public endpoints. Neon Postgres in ap-southeast-2 (Sydney) with cross-region read replica.

Hiring

We are a small team and do not always have open security roles, but we are always interested in hearing from security engineers and researchers — especially those with experience in application security, API security, and AI-specific threat models. If you would like to work with us, send your background to careers@nex-flow.io with "Security" in the subject line.

Contact

Security reports: security@nex-flow.io
PGP key: /.well-known/pgp-key.txt
General: support@nex-flow.io