Security

Trust Center

Nyverra treats security as an architecture requirement, not an add-on layer. This page documents our technical controls, policies, and reporting channels for customers, prospects, and risk assessors.

Technical Controls

Our services and operations follow practices aligned with recognized frameworks (NIST CSF, CIS Controls), adapted to the size and risk profile of each managed environment.

• Encryption in transit (TLS 1.2/1.3) and at rest (AES-256) for managed data.
• Network segmentation between production, staging, and administrative access environments.
• Mandatory multi-factor authentication (MFA) for administrative access to managed systems.
• Audit logging and continuous monitoring of privileged access.
• Perimeter firewall with least-privilege policy, reviewed quarterly.
• Vulnerability management with monthly scanning and severity-based remediation (CVSS).
• Backup with periodically tested restore — periodicity and retention defined in contract.

Data & Subprocessors

As a data processor under Brazilian LGPD, Nyverra maintains a data processing agreement with each customer, defines explicit purposes, and keeps a subprocessor inventory.

Customer data is stored in contracted data centers and clouds located in Brazil, unless explicitly agreed otherwise. Our primary infrastructure subprocessors include:

• Data center and cloud providers (under DPA and SLA).
• Monitoring and ITSM tools (Zabbix, Grafana, GLPI) — performance and ticket data.
• Transactional email services for client portal notifications.
• The complete list of active subprocessors is provided in the service agreement and kept current in the Subprocessor Addendum.

Incident Response

We maintain a documented incident response process with defined roles, escalation channels, and severity-proportional communication timelines.

• Severity classification (Critical, High, Medium, Low) with response and communication SLAs.
• Customer notification channel within 2 hours for critical incidents.
• Root cause analysis (RCA) delivered within 10 business days after containment.
• Communication with ANPD and competent authorities when legally required.

Access Controls

Access to customer systems and data follows the principle of least privilege and is reviewed periodically:

• Logical access: named accounts, MFA, quarterly review of profiles and credentials.
• Physical access: biometric access control and entry logging at Nyverra-managed data centers.
• Logging of all administrative actions with immutable audit trail.
• Access revocation within 4 hours of deactivation notification.

Certifications & Audits

Nyverra is in the process of aligning with ISO 27001. Until formal certification, we maintain and publish:

• Information Security Policy (internal document, available under NDA for customers and prospects).
• Documented controls aligned with NIST CSF and CIS Controls v8.
• Vulnerability and pentest reports (when contracted by the customer).
• Audit evidence provided during the vendor onboarding process.

Vulnerability Disclosure

Nyverra values the security of its systems and welcomes contributions from the research community. This policy defines how to report vulnerabilities responsibly, what to expect from our process, and the protections offered to those who report in good faith.

How to report

Send your report to [email protected], preferably including:

• Clear description of the vulnerability found, with reproduction steps.
• Affected product, URL, version, or endpoint.
• Potential impact and exploitation scenario (if known).
• Tools or payloads used (when applicable).
• Your contact details (name, email) — optional, but recommended for follow-up.

Scope

This policy covers:

• nyverra.com and nyverra.com.br (corporate website and landing pages).
• portal.nyverra.com.br (client portal).
• Public APIs accessible under the above domains.
• Publicly exposed managed services owned by Nyverra.

Out of scope: denial-of-service attacks, social engineering against employees, aggressive scans that degrade services, and vulnerabilities in third-party infrastructure not managed by Nyverra.

Safe Harbor

We consider activities conducted in accordance with this policy to be authorized conduct under applicable laws (including, but not limited to, the Computer Fraud and Abuse Act in the US, Brazil's Lei Carolina Dieckmann / Lei 14.155/2021, and equivalent directives).

We will not initiate legal action against you nor request authorities to do so, provided that:

• You report the vulnerability to us before disclosing it publicly.
• You respect the agreed response time (default: 90 days from first contact).
• You do not access, modify, extract, destroy, or retain data beyond the minimum necessary to demonstrate the vulnerability.
• You do not exploit the vulnerability for financial gain, access customer systems, or disrupt production services.

Response time

Our commitment to reporters:

• Acknowledgment of receipt within 3 business days.
• Initial assessment and severity classification within 10 business days.
• Fix and completion notice within 90 days (barring exceptional complexity, communicated to the reporter).
• Public acknowledgment (if authorized by the reporter) after the fix.

Good-faith reports receive a response even if out of scope; we will explain why and, when possible, redirect to the responsible party.

PGP Key

For reports containing sensitive information, use our PGP key available at https://nyverra.com.br/.well-known/security.txt or request it by email. The fingerprint will be published in this same file when available.

Rewards program

Nyverra does not currently maintain a bug bounty program with financial rewards. Quality reports are publicly acknowledged (with authorization) on our acknowledgments page. Companies performing commercial pentests or unauthorized scans should contact [email protected] before initiating any activity.