Secuirty governance
Nomad's Security and Privacy team establishes policies and controls, monitors compliance with those controls, and prove our security and compliance to third-party auditors.
Our policies are based on the following foundational principles:
1.
Access should be limited to only those whith a legitimate business need and granted based on the principle of least privilege.
3.
Security controls should be implemented and layered according to the principle of defense-in-depth.
Data protection
Data at rest
All datastores with customer data are encrypted at rest. Sensitive collections and tables also use row-level encryption.
This means the data is encrypted even before it hits the database so that neither physical access, nor logical access to the database, is enough to read the most sensitive information.
2.
Security controls should be implemented and layered according to the principle of defense-in-depth.
4.
Security controls should continuously improve based on improved effectiveness and increased auditability.
Security and compliance at Nomad.
Nomad maintains a SOC 2 Type II attestation. Our SOC 2 Type II report are available on our Trust Center.
Data in transit
Nomad uses TLS 1.2 or higher eveywhere data is transmitted over potentially insecure networks. We also use features such as HSTS (HTTP Strict Transport Security) to maximize the security of our data in transit. Server TLS keys and certificates are managed by AWS and deployed via Application Load Balancers.
Secret management
Encryption is managed via AWS, which prevents direct access by any individuals. At Nomad, data privacy is a first-class priority—we strive to be trustworthy stewards of all sensitive data. Nomad evaluates updates to regulatory and emerging frameworks continuously to evolve our program.
Application secrets are encrypted and stored securely per highest industry standards. View Nomad’s Privacy Policy for more information.
Product security
Penetration testing
Nomad engages with one of the best penetration testing consulting firms in the industry at least annually. Our current preferred penetration testing partner is Cicilian, one of the leading experts in GraphQL security.
All areas of the Nomad product and cloud infrastructure are in-scope for these assessments, and source code is fully available to the testers in order to maximize the effectiveness and coverage.
We make summary penetration test reports available via our Trust Center.
Enterprise security
Security education
Secure remote access
Vulnerability scanning
Nomad requires vulnerability scanning at key stages of our Secure Development Lifecycle (SDLC):
Static analysis (SAST) testing of code during pull requests and on an ongoing basis.
Mallicious dependency scanning to prevent malware in our software supply chain.
Periodic network vlunerability scanning.
Nomad provides comprehensive security training to all employees upon onboarding and annually through educational modules within a platform provided by Vanta.
Nomad's ops team shares regular threat briefings with employees to inform them of important security and safety-related updates that require special attention or action.
Nomad secures remote access to internal resources using modern VPN technology. We also use malware-blocking DNS servers to protect employees and their endpoints while browsing the internet.
Software composition analysis (SCA) to identify known vulnerabilities in our software supply chain.
Dynamic analysis (DAST) of running applications.
Continuous external attack surface management (EASM) to discover new externa-facing assets.
Security education
Nomad uses a risk-based approach to vendor security, Factors which influence the inherent risk rating of a vendor include:
Access to customer and corporate data
Integration with production data
Potential damage to the Nomad brand
Data privacy
At Nomad, data privacy is a first-class priority—we strive to be trustworthy stewards of all sensitive data. Nomad evaluates updates to regulatory and emerging frameworks continuously to evolve our program.
View Nomad's Privacy Policy