O
ONX
Book a demo
Security & Trust·v1.0 · May 2026
Procurement Pack
Security & Trust Center

Built for teams who operate in demanding markets.

ONX is designed to meet the security and governance expectations of enterprise procurement, legal, and security teams — without compromising speed or commercial value.

Encryption at rest & in transit

GDPR-aligned architecture

EU AI Act: limited risk

Role-based access & RLS

Security Architecture

How data flows through the ONX platform — from customer browser to database, and out to external processors. Encryption boundaries and tenant isolation are highlighted.

ONX — Security Architecture Overview

Customer Browser

User / Sales Rep

HTTPS only
TLS 1.2+
Edge Layer

Vercel Edge

Global CDN · HSTS enforced

authenticated request
Application Layer — Vercel (US)

ONX App

Next.js · API Routes

Supabase Auth

JWT tokens · session management

org-scoped query
Data Layer — Supabase / AWS eu-north-1 (Stockholm)

PostgreSQL DB

AES-256 at rest

RLS enforced

Audit Trail

Append-only · immutable

TTL enforced
External processors — SCCs in place
AI Inference

Anthropic

Company context only

No personal data

OpenAI

Supplementary flows

No personal data
Enrichment & Research

People Data Labs

Firmographic data

Business data only

Perplexity AI

Public web signals

Business data only
Encrypted transport (TLS 1.2+)
Tenant isolation (RLS)
AES-256 encryption at rest
No personal data to AI providers

Infrastructure

Cloud providerAWS (via Supabase) — eu-north-1 (Stockholm), EU only
Application hostingVercel — global edge network, serverless
DatabaseSupabase (PostgreSQL) — managed, SOC 2 Type II
Network isolationSupabase project-level isolation; Vercel project isolation
DDoS protectionVercel edge network + AWS infrastructure protection
LoggingApplication and access logs retained for security review

Encryption

Encryption at restAES-256 — AWS / Supabase managed keys
Encryption in transitTLS 1.2+ enforced on all connections
HTTPS enforcementHSTS enabled; HTTP redirected to HTTPS
Database connectionsTLS-enforced PostgreSQL connections
Secret managementEnvironment variables via Vercel; not stored in codebase

Customer-managed encryption keys (CMEK) are available on Enterprise plans on request.

Access Controls

Row-Level Security (RLS) enforced at the database layer — tenants cannot access each other's data
Organisation-scoped data isolation — all queries are scoped to the authenticated org
Role-based permissions — admin, member, and read-only roles
JWT-based authentication with short-lived tokens
SSO available on Enterprise plans (SAML 2.0)
Internal access to production data is restricted and audited
No Optimal Nexus employee accesses customer data without documented purpose

Data Governance & Privacy

Lawful basisLegitimate Interest (GDPR Article 6(1)(f))
Contact data TTL120 days from ingestion — auto-expiry, no silent renewal
Data minimisationField-level allowlist at ingestion; 40+ personal categories blocked
Special category dataNot processed (Article 9 GDPR)
Automated decisionsNone — all AI output is decision-support only
Cross-border transfersStandard Contractual Clauses (SCCs) where applicable
Right to erasureGlobal suppression list — one-click, permanent, cross-account
Right to accessMachine-readable JSON export via compliance API
DPIASoft DPIA completed; downloadable from Compliance Center
LIALegitimate Interest Assessment on file; available to enterprise customers
Compliance Center Privacy Policy

AI Governance

EU AI Act — Preliminary Classification

Preliminary internal assessment indicates ONX currently operates outside EU AI Act high-risk classifications (Annex III). ONX provides commercial decision-support tools only — not employment, credit, law enforcement, or healthcare decisions.

AI providersAnthropic (Claude), OpenAI (GPT-4o)
Use of AIICP recommendations, signal scoring, deal risk indicators, summaries
Personal data in promptsNo — company-level context only
Model training on customer dataNo — contractually prohibited with all AI providers
Automated decisionsNone — human review required for all commercial actions
Confidence disclosureAI outputs surfaced as indicators, not deterministic facts
Prohibited uses policyDocumented — employment, credit, legal, healthcare decisions prohibited
Full AI Transparency Notice

Subprocessors

ONX uses a limited set of third-party subprocessors. Each is covered by a DPA and Standard Contractual Clauses (SCCs) where data is transferred outside the EEA. 30 days' notice is provided for new subprocessors.

SupabaseDatabase & authentication · EU — Stockholm (eu-north-1) · EU-hosted
VercelHosting & CDN · Global edge / EU configurable · SCC
AnthropicAI inference · US · SCC + DPA
People Data LabsData enrichment · US · SCC
Perplexity AIWeb intelligence · US · SCC
ResendTransactional email · US · SCC
Full subprocessor list with DPA details

Uptime & Reliability

Target availability99.9% uptime SLA (Enterprise plans)
InfrastructureVercel serverless + Supabase managed PostgreSQL
RedundancySupabase automated backups with point-in-time recovery
MonitoringApplication health monitored continuously
Maintenance windowsCommunicated in advance via in-platform and email

Enterprise SLA documentation available on request.

Incident Response

Security incidents are triaged within 4 hours of detection
Data breach notification to affected customers within 72 hours of confirmed breach, in line with GDPR Article 33
Supervisory authority notification within statutory timescales where required
Post-incident review and root cause analysis completed for all material incidents
Incident log maintained internally; material incidents disclosed to affected customers

To report a suspected incident: security@optimalnexus.com

Vulnerability Disclosure

Optimal Nexus Ltd operates a responsible disclosure policy. If you discover a security vulnerability in ONX, we ask that you report it privately before public disclosure so we can investigate and resolve it.

Report vulnerabilities to security@optimalnexus.com
Include a description, reproduction steps, and potential impact
We will acknowledge receipt within 2 business days
We will keep you informed of our investigation progress
We will not pursue legal action against good-faith reporters

We are not currently operating a formal bug bounty programme. This is under review.

Compliance Roadmap

Current posture and planned milestones. We publish this because enterprise buyers deserve an honest picture, not a marketing badge.

GDPR-aligned architecture (RLS, TTL, suppression, LIA, DPIA)
AI Transparency Notice (EU AI Act alignment)
Subprocessor register with SCCs
Data subject rights — access, erasure, objection, portability
Immutable audit trail for all processing decisions
~Formal DPA template for enterprise customers
~Penetration testing (scheduled)
~Vendor risk register
SOC 2 Type II audit
ISO 27001 certification
Formal bug bounty programme

Download the procurement pack

DPIA · LIA · AI Transparency · Subprocessors — generated live, always current.

View downloads

Need documentation for procurement?

DPA, DPIA, subprocessor list, AI governance summary — available on request.

Request documentation
PlatformPrivacy PolicyTerms of ServiceSubprocessorsAI Transparencysecurity@optimalnexus.com