Trust & Safety
Security
Overview
Security is foundational to NanoToxi AI. Researchers trust us with sensitive data and we take that responsibility seriously at every layer of our stack.
Last updated: June 2026
Encryption
AES-256 + TLS 1.3
Auth
JWT + MFA
Disclosure
48h Response SLA
Encryption
- All data transmitted between your browser and NanoToxi AI servers is encrypted using TLS 1.3 — the current industry standard for transport security.
- Data at rest is encrypted using AES-256, applied to all databases, file stores, and backup archives.
- Sensitive fields including authentication credentials and API keys are hashed using bcrypt with a minimum cost factor of 12 before storage.
- Prediction payloads submitted via the API are encrypted in transit and are not logged in plaintext anywhere in our infrastructure.
Infrastructure Security
- The NanoToxi AI backend is deployed on Railway with network-level isolation. No backend service is exposed to the public internet except the designated API gateway.
- The frontend is deployed on Vercel's edge network with automatic DDoS mitigation and Web Application Firewall (WAF) rules.
- Database instances operate in private network segments with no direct inbound internet access. All queries are routed through the application layer.
- All infrastructure components are configured with the principle of least privilege — services are granted only the permissions they need to function.
- We use automated vulnerability scanning on all production containers and dependency graphs, with alerts for known CVEs.
Authentication and Access Control
- User authentication is handled via JWT-based sessions with short expiration windows and automatic refresh token rotation.
- Passwords are never stored in plaintext. We enforce minimum password complexity requirements and rate-limit login attempts to prevent brute-force attacks.
- API keys are scoped to specific permissions and can be revoked instantly from the dashboard. Key values are shown only once at creation time.
- Admin access to production systems requires multi-factor authentication and is restricted to a named list of authorised personnel.
- All privileged actions in production environments are logged with user identity, timestamp, and action details for audit purposes.
Application Security
- NanoToxi AI is built with protection against OWASP Top 10 vulnerabilities, including SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and insecure deserialization.
- All user-supplied inputs, including nanoparticle parameters submitted for prediction, are validated and sanitised before processing.
- Content Security Policy (CSP) headers are enforced on all frontend responses to mitigate XSS attack vectors.
- We conduct periodic manual code reviews and automated static analysis on all code entering the production branch.
- Dependencies are monitored for known vulnerabilities using automated tooling, with critical patches applied within 24 hours of disclosure.
Incident Response
- We maintain a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review.
- In the event of a confirmed data breach affecting personal data, affected users will be notified within 72 hours in accordance with applicable data protection regulations.
- Security incidents are triaged by severity. Critical incidents (active breach, data exfiltration) trigger immediate escalation and a dedicated response team.
- Post-incident reports are produced for all high-severity events and are retained for a minimum of two years for audit purposes.
- To report a security vulnerability, please contact contact@nanotoxi.com. We operate a responsible disclosure policy and will acknowledge reports within 48 hours.
Backups and Business Continuity
- Production databases are backed up continuously with point-in-time recovery available for the previous 7 days.
- Backups are stored in encrypted, geographically separate storage from the primary infrastructure.
- We test restoration procedures quarterly to verify that backups are valid and recoverable within our target RTO.
- Our target Recovery Time Objective (RTO) for a full infrastructure failure is 4 hours. Our target Recovery Point Objective (RPO) is 1 hour.
Found a vulnerability?
Report it responsibly at contact@nanotoxi.com. We acknowledge all reports within 48 hours.