Skip to main content
Home

Security Statement

Nexture AI, Inc.

Effective Date: February 15, 2026

This document was last reviewed and updated on the effective date above.

At Nexture AI, Inc. ("Nexture AI," "we," "us," or "our"), we understand that the security and confidentiality of your data, particularly Nonpublic Personal Information (NPI) and sensitive insurance documents, are paramount. This Security Statement outlines the robust technical and organizational measures we implement to protect your information and ensure the integrity, confidentiality, and availability of our Service.

Our security program is designed to meet or exceed industry best practices and to comply with relevant regulations, including the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule for the protection of financial consumer information.

1. Our Commitment to Security

We are committed to maintaining a secure environment for all data processed through the Nexture AI platform. Our comprehensive security program is continuously evaluated and updated to address evolving threats and new technologies.

Our security program is overseen by a designated qualified individual responsible for implementing and enforcing our information security policies, as required under the GLBA Safeguards Rule. This individual reports directly to executive leadership on the status of our security program and any identified risks.

2. AWS Shared Responsibility Model

Nexture AI leverages Amazon Web Services (AWS), a leading cloud computing platform, for our infrastructure. We operate under a shared responsibility model:

  • AWS's Responsibility (Security of the Cloud): AWS is responsible for the security of its global infrastructure, compute, storage, networking, and the physical facilities where data resides. AWS adheres to numerous compliance standards (e.g., SOC 2, ISO 27001, PCI DSS Level 1, GLBA-readiness, HIPAA-eligibility).
  • Nexture AI's Responsibility (Security in the Cloud): We are responsible for security in the AWS cloud, which includes the secure configuration of our application, data, operating systems, network settings, and user access management. Our primary AWS region for data storage is us-east-1 (N. Virginia).

3. Technical Security Measures

We implement a multi-layered approach to protect your data across its lifecycle:

3.1. Data Encryption:

  • Encryption in Transit: All data transmitted between your device and our Service, and between our internal services, is encrypted using industry-standard Transport Layer Security (TLS/SSL) protocols (HTTPS) to prevent eavesdropping and tampering.
  • Encryption at Rest: All sensitive data, including your uploaded insurance documents and extracted policy information, is encrypted at rest using strong encryption standards (e.g., AES-256) across all storage locations within AWS (e.g., databases, S3 buckets). Encryption keys are managed through AWS Key Management Service (KMS).

3.2. Access Controls & Identity Management:

  • Least Privilege: Access to systems and sensitive data is granted strictly on a "need-to-know" and "least privilege" basis. This ensures that only authorized personnel have access to the resources essential for their roles.
  • Multi-Factor Authentication (MFA): Multi-factor authentication is mandatory for all Nexture AI employees accessing internal systems, administrative tools, and production environments. We also offer and highly recommend MFA for user accounts on our Platform to enhance your account security.
  • Strong Password Policies: We enforce robust password policies for both internal systems and user accounts, requiring minimum length, complexity, and discouraging common or easily guessable passwords.
  • Session Management: Secure session management techniques are employed to prevent unauthorized session hijacking.

3.3. Network Security:

  • Virtual Private Clouds (VPCs): Our entire infrastructure operates within Amazon Virtual Private Clouds (VPCs), providing isolated network environments for enhanced security.
  • Firewalls & Security Groups: We utilize AWS Security Groups and Network Access Control Lists (NACLs) to strictly control inbound and outbound network traffic to our servers and services.
  • Web Application Firewall (WAF): We employ a Web Application Firewall (WAF) to protect our Service from common web exploits and vulnerabilities, such as SQL injection, cross-site scripting, and denial-of-service attacks.
  • Intrusion Detection/Prevention Systems (IDS/IPS): Our systems incorporate mechanisms to detect and, where possible, prevent unauthorized access and malicious activity.

3.4. Secure Development Lifecycle (SDL):

Our development processes integrate security best practices from the outset. This includes:

  • Secure Coding: Developers follow secure coding guidelines.
  • Input Validation: All user inputs are rigorously validated to prevent injection attacks and other vulnerabilities.
  • Regular Code Reviews: Security is a key aspect of our code review process.
  • Dependency Management: Third-party libraries and frameworks are regularly updated and scanned for known vulnerabilities.

3.5. Security Monitoring & Logging:

  • Our systems are continuously monitored 24/7 for security threats, anomalies, and suspicious activities using AWS services like CloudTrail (for API activity logging), CloudWatch (for metrics and alarms), and GuardDuty (for intelligent threat detection).
  • Detailed audit logs are maintained to enable rapid detection, investigation, and response to potential security incidents.

3.6. Data Backups & Disaster Recovery:

  • We perform automated, regular, and redundant backups of all critical data to ensure data availability and recoverability. Backups are encrypted and stored in geographically diverse locations within AWS.
  • We have a documented disaster recovery plan that outlines procedures for rapid data restoration and business continuity in the event of a major outage or data loss incident.

3.7. Penetration Testing & Vulnerability Assessments:

  • We conduct regular vulnerability assessments and penetration testing of our application and infrastructure to identify and remediate potential security weaknesses.
  • Testing is performed by qualified internal personnel and, periodically, by independent third-party security firms.
  • Identified vulnerabilities are prioritized and addressed based on severity, with critical issues remediated promptly.

4. Organizational Security Measures

4.1. Data Breach Response Plan:

  • Nexture AI has a comprehensive, documented data breach response plan. This plan outlines clear procedures for incident detection, containment, eradication, recovery, and post-incident analysis.
  • Compliance with State Laws: In the unlikely event of a security incident involving personal information, we are committed to complying with all applicable federal and state data breach notification laws, including timely notification to affected individuals and relevant regulatory bodies.

4.2. Vendor Security Management:

  • We conduct thorough due diligence on all third-party service providers (our sub-processors) who handle your data, including AWS, our OCR provider, our LLM provider, and our payment gateway.
  • We enter into robust contractual agreements (e.g., Data Processing Addenda) with these providers, obligating them to adhere to high security and privacy standards, consistent with GLBA and our own policies, and prohibiting them from using your data for unauthorized purposes.

4.3. Employee Security Awareness Training:

All Nexture AI team members undergo mandatory and regular training on data privacy, security best practices, and our internal security policies and procedures. This ensures our team is equipped to protect your data effectively.

4.4. Internal Security Policies:

We maintain comprehensive internal security policies and procedures governing data handling, access management, incident response, and acceptable use of company resources to ensure consistent application of our security program.

4.5. Data Disposal & Secure Deletion:

When data is no longer needed or upon user request, we follow secure deletion procedures. Documents and extracted data are permanently removed from active systems within 30 days. Encrypted backups are purged within 90 days. Where applicable, cryptographic key deletion (crypto-shredding) is used to render encrypted data permanently unrecoverable.

5. User's Role in Security

While we implement extensive security measures, your role as a user is vital in maintaining the security of your account:

  • Use strong, unique passwords for your Nexture AI account.
  • Enable Multi-Factor Authentication (MFA) if offered.
  • Keep your login credentials confidential.
  • Monitor your account for any suspicious activity.
  • Report any suspected security vulnerabilities or incidents to us immediately at admin@nextureai.com.

6. Compliance & Certifications

Nexture AI is committed to complying with all applicable data protection laws and regulations in the United States, including the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule. Our security program is designed with these requirements in mind.

Our infrastructure provider, Amazon Web Services (AWS), maintains numerous industry certifications including SOC 2 Type II, ISO 27001, PCI DSS Level 1, and HIPAA eligibility. Nexture AI leverages these certified services as the foundation of our security posture. We are actively working toward obtaining our own SOC 2 Type II certification and will update this Security Statement as our compliance program evolves.

7. Responsible Disclosure

We value the security research community and encourage responsible disclosure of any security vulnerabilities discovered in our Service. If you believe you have found a security vulnerability, please report it to us at security@nextureai.com.

When reporting, please include:

  • A description of the vulnerability and its potential impact.
  • Steps to reproduce the issue.
  • Any supporting evidence (screenshots, logs, proof-of-concept code).

We commit to acknowledging receipt of your report within two (2) business days and will work to validate and address confirmed vulnerabilities promptly. We ask that you give us a reasonable period to remediate before any public disclosure.

8. Changes to This Security Statement

We may update this Security Statement from time to time to reflect changes in our security practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by posting the new Security Statement on this page and updating the "Effective Date" at the top. We encourage you to review this Security Statement periodically.

9. Contact Information

If you have any questions or concerns about our security practices, please contact us at:

Nexture AI, Inc.

1521 Alton Rd. PMB 106, Miami Beach, FL 33139, United States

Email  admin@nextureai.com

© 2026 Nexture AI, Inc.

All legalTermsPrivacySecurityCookiesDo Not Sell My Info