Security is an ongoing operational process. This page describes controls visible in the current Nexly implementation and does not claim a certification, penetration-test result, or guarantee against every incident.
Transport and credential protection
- Production services are served over HTTPS and session cookies are marked Secure when HTTPS is configured.
- Passwords are protected with an adaptive password-hashing algorithm.
- Personal API tokens, password-reset tokens, verification tokens, invite tokens, and recovery codes are stored as hashes.
- Transactional email supports TLS and STARTTLS.
- Raw payment card details are handled by Polar and are not stored by Nexly.
Authentication and account security
- Email and password authentication with email verification.
- Optional TOTP two-factor authentication with one-time recovery codes.
- Passkey authentication through WebAuthn.
- HttpOnly, SameSite=Lax session cookies with a default 24-hour session lifetime.
- Rate limits for authentication and API requests.
Infrastructure
- Backend application and managed data infrastructure use Railway, with the primary deployment in the Netherlands.
- The marketing site and help center are deployed through Vercel.
- Uploaded image storage uses Cloudflare R2 with an Eastern Europe location hint; edge delivery may operate globally.
- Transactional email uses Resend in Ireland.
- Analytics ingestion removes raw IP addresses before analytics database storage.
Monitoring and data access
Backend services use structured operational logs. The dashboard can send errors, performance traces, and sampled session replay to Sentry with default PII collection disabled and account email represented by a hash.
Access to production systems and customer data is limited to operational needs. Nexly does not currently publish a formal access-review cadence, backup policy, recovery objective, or independent audit report.
AI provider boundaries
AI Insights sends prompts and the analytics context needed for a response to the selected external model provider. Customers should not put secrets or sensitive personal information in prompts. Provider-specific processing is disclosed on the Subprocessors page.
Report a security issue
Send suspected vulnerabilities or security incidents to mail@nexly.to with enough detail to reproduce or investigate the issue. Do not access, alter, or retain other users’ data while researching a vulnerability.
We will review reports and respond based on severity and available information. Nexly does not currently operate a paid bug bounty program.
Last updated: July 10, 2026