Skip to main content
FeaturesPricingFor TeamsEnterpriseDocs
Log in to your account

Card required to begin • Setup in 5 minutes

Security

Built Secure by Default

NimbusOS runs multi-tenant outbound infrastructure for agencies. Every layer is isolated, encrypted, and audited.

Transport & Encryption

HTTPS enforced

HSTS with 1-year max-age, includeSubDomains

TLS 1.2+ only

Enforced at Railway edge

AES-256-GCM field encryption

EncryptedTextField for SMTP credentials, API keys, and payment identifiers

Secure cookies

SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE enabled

Authentication

JWT access tokens

60-minute expiry, rotated on every refresh

Refresh token blacklisting

Used tokens invalidated immediately after rotation

OAuth 2.0 SSO

Google and Microsoft 365 supported

XSS prevention

HTTP-only cookie flag - no tokens stored in localStorage

Multi-Tenant Isolation

Workspace scoping on every query

TenantScopedMixin enforced at the model layer - no cross-tenant data access possible

Permission classes on all views

IsAuthenticated enforced platform-wide via DEFAULT_PERMISSION_CLASSES

Referrer policy

strict-origin-when-cross-origin

Clickjacking protection

X-Frame-Options: DENY

Billing & Payments

Stripe webhook signature verification

construct_event() validates every webhook - unsigned payloads rejected with HTTP 400

Idempotent webhook processing

stripe_event_id checked before any state change - no duplicate billing events

No payment data in logs

Payment method, customer ID, and subscription ID never written to application logs

Encrypted payment identifiers

Stored via EncryptedTextField, not plaintext

Document & Data Handling

PII scanning on document ingestion

Email addresses, phone numbers, SSNs, and credit card numbers detected before storage

Threat detection on file uploads

Executable payloads, script injection, and suspicious archives rejected at ingestion

File size limits enforced

100 MB max per file, 20 files max per upload - validated before processing

Content hash deduplication

Identical documents not re-embedded - prevents vector index pollution

Infrastructure

Content Security Policy

CSP headers restrict script and frame sources

Rate limiting

Auth endpoints: 5/min. API: 100/min. Bulk operations: 10/min.

SMTP credentials never hardcoded

EmailBox credential lookup at send time - no credentials committed to source control

Debug mode off in production

DEBUG=False enforced - no stack traces exposed to users

Responsible Disclosure

Found a vulnerability? Report it directly to our team. We respond within 48 hours and credit researchers who report valid findings.

joe@salesnimbus.com

NimbusOS is operated by Sales Nimbus LLC. Privacy Policy · Terms of Service