Security & Trust

Security-first, tenant-deployed Cloud P&L.

Nublou is deployed into your Azure tenant via Azure Marketplace. We use Microsoft Entra ID for authentication, Azure Key Vault for secrets, and Azure-native encryption and RBAC for data protection.

Download security overviewRequest full security posture document

Deployment model & data residency

Customer tenant (data plane)

Billing data, business configuration, secrets, compute, and storage all live in your subscription.

Nublou vendor tenant (control plane)

Deployment orchestration and updates only; no customer data is stored vendor-side.

Identity & access

  • • Microsoft Entra ID authentication (no local passwords).
  • • Role-based authorization enforced at both Static Web Apps route level and API level.
  • • Roles: Reader, Writer, Admin—managed by your Entra ID administrators.

Secrets & data protection

  • • Secrets stored in your Azure Key Vault with RBAC and managed identities.
  • • Data encrypted at rest (AES-256) and in transit (TLS 1.2+).
  • • Tenant isolation: one managed app instance per customer, separate resources.
  • • No application-layer PII or customer payloads ingested.

Compliance & roadmap

Current state

  • • Runs on Azure infrastructure covered by Microsoft's SOC 2 / ISO programs.
  • • Nublou SOC 2 Type II: planned (not yet obtained).

Planned enhancements

  • • SOC 2 Type II
  • • Penetration testing
  • • Enhanced audit logging
  • • Optional Private Link / VNet integration

Documents & links

Security overview one-pager
Shared under NDA depending on sensitivity.
Application security posture & data handling overview
Shared under NDA depending on sensitivity.
DPA (Data Processing Addendum)
Shared under NDA depending on sensitivity.
Subprocessors list
Shared under NDA depending on sensitivity.