Security

Nuberio connects to your AWS account through a cross-account IAM role that you create via a provided CloudFormation template. By default, the role uses the AWS-managed ReadOnlyAccess policy plus sns:Publish on the NuberioAlerts topic (required for test alerts and pipeline verification).

The AWS-managed ReadOnlyAccess policy grants broad read-only access across all AWS services. Nuberio actively uses CloudWatch, CloudTrail, ECS, RDS, EC2, Logs, and Security Hub data during diagnosis. No additional read policies are attached.

The default role grants no write permissions. If you opt into Actions (EnableActions=true during CloudFormation setup), Nuberio is additionally granted targeted write permissions so it can execute remediations you explicitly approve during an alert — for example restarting an ECS service, rebooting an RDS instance, or updating Lambda concurrency. Actions are disabled by default and require your explicit opt-in.

To revoke Nuberio access instantly at any time: delete the IAM role from your AWS console. This requires no action on the Nuberio side. The role trust policy is scoped to Nuberio's AWS account combined with a unique ExternalId generated for your account — this prevents confused deputy attacks and ensures no other AWS entity can assume your Nuberio role.

Nuberio does not store your AWS credentials. Authentication happens via STS AssumeRole — Nuberio holds only the Role ARN (which is not a credential), and AWS issues short-lived session tokens on each API call.

Session tokens are cached in Lambda memory for up to 10 minutes and are never written to disk or any database. This avoids redundant STS calls when multiple diagnostic steps run within the same execution context.

WhatsApp delivery uses the WhatsApp Business API. Nuberio stores only your WhatsApp phone number and the Nuberio-generated webhook token — not your WhatsApp credentials.

If you optionally provide a GitHub PAT secret ARN during setup, Nuberio reads that secret from AWS Secrets Manager only during incident investigation to fetch recent commits and correlate deploys with anomalies. Nuberio does not store the token itself.

Raw metric datapoints collected during diagnosis are retained for 30 days and then deleted automatically via DynamoDB TTL.

Security findings (GuardDuty, Security Hub, Inspector) are retained for 7 days. Infrastructure events are retained for 7 days.

Diagnosis summaries (the AI-generated diagnosis text) are retained for 90 days and are visible only to authenticated members of your workspace.

Account metadata (AWS account IDs, IAM role ARNs, WhatsApp phone numbers) is retained for the lifetime of your Nuberio account and is deleted within 7 days of account closure.

Nuberio does not sell, license, or share your data with third parties. Aggregate and anonymised data (e.g. median resolution times across all users) may be used internally to improve the product.

All data is encrypted at rest using AES-256. Databases and object storage use AWS KMS-managed keys.

All data in transit is encrypted using TLS 1.3. Nuberio enforces HSTS across all endpoints.

Backups are encrypted with the same key policy as the primary data store.

Nuberio runs on AWS. All customer data is stored and processed within AWS infrastructure.

Customer workspaces are logically isolated — each workspace can only access its own data, enforced via scoped authentication and per-workspace access controls at the application layer.

Known vulnerabilities in dependencies are identified through automated scanning and addressed as part of the standard development workflow.

Nuberio is working toward SOC 2 Type II certification. Security controls aligned with the SOC 2 Trust Service Criteria (Security and Availability) are implemented. Formal audit documentation will be made available to customers once the process is complete.

Nuberio processes personal data as a data processor acting on behalf of its customers (who are the data controllers), in accordance with applicable data protection law including the GDPR. We collect only the data necessary to provide the service. For data protection enquiries, email [email protected].

Independent security testing is planned as the product and customer base mature. In the meantime, security is reviewed as part of every change to the codebase and infrastructure.

If Nuberio becomes aware of a security incident that affects customer data, affected customers will be notified promptly — and in any case within 72 hours — via the email address on their account.

To report a security vulnerability, email [email protected]. We review all reports and aim to respond within 5 business days. We follow a 90-day responsible disclosure window.