Skip to main content

Security & compliance

Last updated:

Operators ship money on nuke.ai. The platform's security posture is the load-bearing guarantee behind every brand we power. This page documents the controls we run, the standards we hold ourselves to, and the response process when something goes wrong. It's intentionally specific — vague security pages are the tell of vendors who don't actually have the controls.

VERIFY BEFORE LINKING PUBLICLY. Some claims below (SOC 2 status, ISO 27001, exact pen-test cadence and firm name) need confirmation from the nuke.ai security team before this page is linked from the marketing nav. Search for the strings tagged [VERIFY]and confirm or replace.

1. Data residency

Operator and player data is stored in the region matching the brand's licensing jurisdiction. EU brands store in EU regions; LATAM brands store in North-America-South; Asia brands in AP regions. Cross-region replication is opt-in, never default. Database backups inherit the same region constraints; off-region disaster-recovery copies are encrypted at rest with region-bound KMS keys.

2. Encryption

TLS 1.3 with HSTS preload on every public endpoint; perfect-forward-secrecy ciphers only. Data at rest uses AES-256-GCM with envelope encryption — column-level keys for payment instruments and KYC records, schema-level keys for everything else. Key rotation is automatic on a 90-day cadence; manual rotation is one API call away for incident response.

3. Access controls

Operator-side console access requires SSO (Google Workspace, Okta, Azure AD) and enforces MFA. Permissions are RBAC with seven default roles plus a custom-role builder. Every administrative action — config change, payout, KYC override, brand deploy — produces an immutable audit-log entry visible to both the operator's admins and to nuke.ai support during incident triage.

4. Penetration testing

External penetration tests are performed quarterly by an independent CREST-accredited firm [VERIFY: firm name]. Findings tracked in the internal CVE register; critical/high findings are fixed inside SLA (24h / 7d respectively) and the engineering changelog. A redacted summary is available to operator security teams under NDA.

5. Certifications

SOC 2 Type II [VERIFY: status — in progress / certified / out of scope]. ISO 27001 [VERIFY]. PCI-DSS scope is confined to the tokenization gateway — operators' cardholder data does not transit nuke.ai application servers. Compliance reports available under NDA.

6. Vulnerability disclosure

Security researchers can disclose findings to [email protected]. We commit to acknowledging within 72 hours, providing remediation status within 14 days, and crediting external researchers in the public security changelog (opt-in). A formal bug-bounty program [VERIFY: status].

7. Incident response

Sev-1 incidents (operator-affecting outages, data exposure) get acknowledged in 15 minutes, status-page updates every 30 minutes until resolved, and a public post-mortem within 5 business days. Sev-2 incidents (degraded performance, partial feature outage) get acknowledged in 1 hour. The current platform-wide status is published on the homepage status strip and updated at every release.

8. Contact

Security inquiries: [email protected].
General compliance: [email protected].