Security

Last updated: November 26, 2025

Security is fundamental to how we build and operate Neureus. Here's how we protect your data and infrastructure.

Our Security Practices

Enterprise-grade security across the entire platform.

Encryption Everywhere

Active

TLS 1.3 in transit, AES-256 at rest. All data encrypted by default.

SOC 2 Type II

In Progress

Audit in progress. Expected completion Q1 2026.

Continuous Monitoring

Active

Real-time security monitoring across all edge locations.

Incident Response

Active

24/7 security team. <1 hour response time for critical issues.

Infrastructure Security

Cloudflare Global Network

Neureus runs entirely on Cloudflare's security-first infrastructure:

  • DDoS Protection: Automatic mitigation of attacks across 300+ edge locations
  • WAF: Web Application Firewall protects against OWASP Top 10 threats
  • Rate Limiting: Per-endpoint rate limits prevent abuse
  • Bot Management: ML-based bot detection and mitigation
  • Zero Trust Network: All services authenticate via Cloudflare Access

Data Encryption

In Transit:

  • TLS 1.3 for all HTTPS connections
  • Perfect Forward Secrecy (PFS) enabled
  • Modern cipher suites only (no legacy crypto)
  • Certificate pinning for API clients

At Rest:

  • AES-256 encryption for all stored data
  • Encrypted database backups (D1, R2, Vectorize)
  • Separate encryption keys per customer (data isolation)
  • Hardware security modules (HSMs) for key management

Application Security

Authentication & Authorization

  • API Keys: Hashed with bcrypt, scoped to specific resources
  • JWT Tokens: Short-lived (1 hour), signed with RS256
  • 2FA: TOTP-based two-factor authentication (coming Q1 2026)
  • OAuth 2.0: Secure third-party integrations
  • Session Management: Automatic timeout after 24 hours of inactivity

Input Validation

  • Strict type checking on all API inputs (TypeScript + Zod)
  • Content Security Policy (CSP) headers on all pages
  • Parameterized queries prevent SQL injection
  • File upload validation (type, size, content scanning)
  • XSS protection via React's automatic escaping

Secrets Management

  • Environment variables stored in Cloudflare Workers secrets
  • Never logged or exposed in error messages
  • Automatic rotation every 90 days
  • Zero secrets in source code (all scanned pre-commit)

Operational Security

Monitoring & Logging

  • Real-time Alerts: Suspicious activity triggers immediate investigation
  • Audit Logs: All admin actions logged and retained for 1 year
  • Anomaly Detection: ML-based detection of unusual access patterns
  • SIEM Integration: Security Information and Event Management

Incident Response

Our security team follows a documented incident response plan:

  1. Detection: Automated monitoring + manual review
  2. Containment: Isolate affected systems within minutes
  3. Investigation: Root cause analysis by security team
  4. Remediation: Fix vulnerability, apply patches
  5. Notification: Inform affected customers within 72 hours (GDPR requirement)
  6. Post-Mortem: Document lessons learned, improve processes

Disaster Recovery

  • Backups: Automated daily backups, retained for 30 days
  • Geo-Redundancy: Data replicated across multiple regions
  • RPO: Recovery Point Objective of 1 hour (minimal data loss)
  • RTO: Recovery Time Objective of 4 hours (fast restoration)

Compliance & Certifications

CertificationStatusETA
SOC 2 Type IIIn ProgressQ1 2026
GDPR CompliantActive
CCPA CompliantActive
ISO 27001PlannedQ2 2026

Regulatory Compliance

  • GDPR: EU data protection (right to access, delete, export)
  • CCPA: California Consumer Privacy Act compliance
  • HIPAA: Planned for healthcare customers (Q2 2026)
  • PCI DSS: Payment card data security (via Stripe)

Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities.

How to Report

Security Team

Email: security@neureus.ai

PGP Key: Download

Response time: Within 24 hours

What to Include

  • Detailed description of the vulnerability
  • Steps to reproduce (PoC code if applicable)
  • Potential impact and affected systems
  • Your contact information for follow-up

Our Commitment

  • Acknowledgment: Within 24 hours
  • Updates: Every 48 hours until resolved
  • Fix Timeline: Critical issues patched within 7 days
  • Credit: Public acknowledgment (if you wish)
  • Bounty Program: Coming Q1 2026

Security Best Practices

For Developers Using Neureus

  • API Keys: Never commit to source control, use environment variables
  • Scope: Create separate keys for dev/staging/prod environments
  • Rotation: Rotate keys every 90 days
  • Rate Limits: Implement client-side rate limiting to prevent abuse
  • Input Validation: Always validate AI outputs before using in your app
  • PII: Mask sensitive data before sending to AI models

Account Security

  • Use strong, unique passwords (12+ characters)
  • Enable 2FA when available (Q1 2026)
  • Review API key usage regularly
  • Delete unused API keys immediately
  • Monitor your usage dashboard for anomalies

Security Roadmap

Q1 2026

  • SOC 2 Type II audit completion
  • Two-factor authentication (TOTP)
  • Bug bounty program launch
  • Advanced threat detection (ML-based)

Q2 2026

  • ISO 27001 certification
  • HIPAA compliance for healthcare customers
  • Hardware security keys (WebAuthn)
  • Penetration testing (quarterly schedule)

H2 2026

  • FedRAMP authorization (government customers)
  • Customer-managed encryption keys (BYOK)
  • Private network deployments (VPC)
  • On-premise deployment option

Contact Security Team

For security questions or concerns:

Security Team

Security Issues: security@neureus.ai

Privacy Questions: privacy@neureus.ai

Compliance: compliance@neureus.ai

Response time: Within 24 hours for security issues

Security-first AI platform

Build with confidence knowing your data is protected.

Start BuildingView Privacy Policy