§ Security · Documentation

How we protect subscriber capital.

Jrg. IV · Nr. 06 · Filed by Operations

Security and operational discipline are the foundation we build on. Here is exactly how that foundation works.

Encryption

All subscriber data is encrypted at rest using AES-256 with rotating keys. In transit, we use TLS 1.3 with HSTS and certificate pinning across all client endpoints. Sensitive fields — such as identification documents and source-of-funds documentation — are encrypted at the field level, separately from the main database, with keys held in a separate key-management service.

Authentication

Two-factor authentication is mandatory for every subscriber account. We support TOTP applications (Google Authenticator, Authy, 1Password) as well as hardware security keys via WebAuthn. Recovery is via verified email plus a manual identity check by a member of the Operations team — we deliberately do not provide a fully self-service recovery path because the asymmetry of a successful account-recovery attack outweighs the user-experience cost.

Custody

Subscriber capital is held in segregated accounts at regulated prime brokers in tier-one jurisdictions. The accounts are structurally separated from Nexilon Varentis operating capital — meaning that even in the unlikely event of a company-level insolvency, subscriber capital remains intact and recoverable. Each prime broker is audited by independent third parties; the audit summaries are made available to subscribers on request.

Audits and certifications

SOC 2 Type II. Audited annually by an independent third-party firm. The most recent audit covered the twelve months ending 31 December 2025; the executive summary is available to subscribers on request.
ISO 27001. Certified information-security management system, recertified every three years with annual surveillance audits.
GDPR. Fully compliant, with EU-only data residency for subscriber personal data and a designated data-protection officer reachable at [email protected].
Penetration testing. Conducted twice annually by an independent specialist firm; remediation timelines published internally and adhered to.

Bug bounty

We operate a private bug-bounty programme with vetted security researchers. Rewards range from $500 for low-severity findings to $25,000 for critical-severity findings. Researchers interested in joining the programme may write to [email protected]; we respond to all enquiries within five business days.

Incident response

Our incident-response procedures are documented and rehearsed quarterly. We commit to disclosing any security incident affecting subscriber data within 72 hours of discovery, in line with GDPR requirements, and we publish a post-mortem after every material incident.

← Terug naar het omslag