Trust & Safety

Security
Overview

Security is foundational to NanoToxi AI. Researchers trust us with sensitive data and we take that responsibility seriously at every layer of our stack.

Last updated: June 2026

Encryption

AES-256 + TLS 1.3

Auth

JWT + MFA

Disclosure

48h Response SLA

Encryption

  • All data transmitted between your browser and NanoToxi AI servers is encrypted using TLS 1.3 — the current industry standard for transport security.
  • Data at rest is encrypted using AES-256, applied to all databases, file stores, and backup archives.
  • Sensitive fields including authentication credentials and API keys are hashed using bcrypt with a minimum cost factor of 12 before storage.
  • Prediction payloads submitted via the API are encrypted in transit and are not logged in plaintext anywhere in our infrastructure.

Infrastructure Security

  • The NanoToxi AI backend is deployed on Railway with network-level isolation. No backend service is exposed to the public internet except the designated API gateway.
  • The frontend is deployed on Vercel's edge network with automatic DDoS mitigation and Web Application Firewall (WAF) rules.
  • Database instances operate in private network segments with no direct inbound internet access. All queries are routed through the application layer.
  • All infrastructure components are configured with the principle of least privilege — services are granted only the permissions they need to function.
  • We use automated vulnerability scanning on all production containers and dependency graphs, with alerts for known CVEs.

Authentication and Access Control

  • User authentication is handled via JWT-based sessions with short expiration windows and automatic refresh token rotation.
  • Passwords are never stored in plaintext. We enforce minimum password complexity requirements and rate-limit login attempts to prevent brute-force attacks.
  • API keys are scoped to specific permissions and can be revoked instantly from the dashboard. Key values are shown only once at creation time.
  • Admin access to production systems requires multi-factor authentication and is restricted to a named list of authorised personnel.
  • All privileged actions in production environments are logged with user identity, timestamp, and action details for audit purposes.

Application Security

  • NanoToxi AI is built with protection against OWASP Top 10 vulnerabilities, including SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and insecure deserialization.
  • All user-supplied inputs, including nanoparticle parameters submitted for prediction, are validated and sanitised before processing.
  • Content Security Policy (CSP) headers are enforced on all frontend responses to mitigate XSS attack vectors.
  • We conduct periodic manual code reviews and automated static analysis on all code entering the production branch.
  • Dependencies are monitored for known vulnerabilities using automated tooling, with critical patches applied within 24 hours of disclosure.

Incident Response

  • We maintain a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review.
  • In the event of a confirmed data breach affecting personal data, affected users will be notified within 72 hours in accordance with applicable data protection regulations.
  • Security incidents are triaged by severity. Critical incidents (active breach, data exfiltration) trigger immediate escalation and a dedicated response team.
  • Post-incident reports are produced for all high-severity events and are retained for a minimum of two years for audit purposes.
  • To report a security vulnerability, please contact contact@nanotoxi.com. We operate a responsible disclosure policy and will acknowledge reports within 48 hours.

Backups and Business Continuity

  • Production databases are backed up continuously with point-in-time recovery available for the previous 7 days.
  • Backups are stored in encrypted, geographically separate storage from the primary infrastructure.
  • We test restoration procedures quarterly to verify that backups are valid and recoverable within our target RTO.
  • Our target Recovery Time Objective (RTO) for a full infrastructure failure is 4 hours. Our target Recovery Point Objective (RPO) is 1 hour.

Found a vulnerability?

Report it responsibly at contact@nanotoxi.com. We acknowledge all reports within 48 hours.