FeaturesPricing
LearningCommunity
Loading...

Enterprise Security & Compliance

Last updated: January 1, 2026

NirmIQ is built for organizations developing safety-critical systems. Our security infrastructure meets the stringent requirements of aerospace (DO-178C), automotive (ISO 26262), and medical device (FDA 21 CFR Part 11) industries - the same standards demanded by Boeing, Tesla, and Medtronic.

Unlike legacy ALM tools that retrofit security onto decades-old architectures, NirmIQ was designed from the ground up with modern security principles: zero-trust architecture, database-level isolation, and immutable audit trails.

Enterprise Security Infrastructure

Row-Level Security (RLS)

Database-enforced multi-tenant isolation. Unlike application-layer filtering used by legacy tools, RLS prevents data leakage even if application code contains vulnerabilities. Each organization's data is cryptographically isolated at the PostgreSQL level.

Zero-Trust Architecture

Every request is authenticated and authorized. JWT tokens with configurable expiration, session management with automatic timeout, and IP-based access controls. No implicit trust, even for internal services.

Immutable Audit Trails

Every action is recorded with full before/after state, timestamps, user identity, and IP address. 7-year retention meets FDA 21 CFR Part 11 and SOC 2 requirements. Audit logs cannot be modified or deleted - even by system administrators.

Intelligent Rate Limiting

Endpoint-specific rate limiting prevents brute force attacks and API abuse. Login endpoints are protected with escalating lockouts. AI features have dedicated quotas to prevent cost attacks. Real-time threat detection alerts on suspicious patterns.

Compliance Standards

NirmIQ's compliance infrastructure is designed for regulated industries. Our audit logging, access controls, and data protection measures align with the most stringent international standards.

SOC 2 Type II

Complete audit trail infrastructure with 7-year retention, access logging, and change management.

  • CC6.1 Logical Access
  • CC7.2 System Operations
  • CC8.1 Change Management

ISO 27001

Information security management following ISO 27001 best practices for risk assessment and controls.

  • A.12.4 Event Logging
  • A.9.4 Access Control
  • A.12.6 Vulnerability Mgmt

FDA 21 CFR Part 11

Electronic records and signatures for medical device development. Complete audit trails for FDA submissions.

  • 11.10(e) Audit Trails
  • 11.10(d) Access Controls
  • 11.10(g) Authority Checks

GDPR

Full GDPR compliance with data access logging, right of access support, and data minimization.

  • Article 30 Processing Records
  • Article 15 Right of Access
  • Article 32 Security Measures

ISO 26262

Automotive functional safety support with complete traceability, ASIL classification, and FMEA integration.

  • Bi-directional Traceability
  • Change Impact Analysis
  • Integrated DFMEA/PFMEA

DO-178C

Aerospace software certification support with DAL classification, configuration management, and audit trails.

  • Requirements Traceability
  • Configuration Management
  • Complete Audit Records

Data Protection

Encryption Standards

  • In Transit: TLS 1.3 for all connections. HTTPS enforced with HSTS.
  • At Rest: AES-256 encryption for all stored data.
  • Database: Encrypted backups with secure key management via Supabase.
  • File Storage: Server-side encryption for all uploaded files.

Database-Level Isolation

Each organization's data is isolated using PostgreSQL Row-Level Security (RLS) policies. This is fundamentally different from application-layer filtering used by legacy ALM tools. With RLS, the database itself enforces isolation - data from one organization cannot be accessed by another, even if there's a bug in the application code.

Authentication & Access Control

  • Secure password policies with strength requirements and breach detection
  • Multi-factor authentication (MFA) support
  • SSO integration via SAML 2.0 and OpenID Connect
  • Session management with configurable timeout (default: 2 hours)
  • API authentication via JWT tokens with rotation
  • Role-based access control (RBAC) with Admin, User, and Viewer roles
  • IP allowlisting for enhanced access control (Enterprise plans)

Infrastructure Security

  • Hosted on SOC 2 Type II compliant cloud infrastructure (Supabase, Vercel, Railway)
  • DDoS protection and Web Application Firewall (WAF)
  • Intelligent rate limiting with endpoint-specific thresholds
  • Real-time threat detection and alerting
  • Network segmentation and firewall rules
  • 24/7 infrastructure monitoring with automated incident response

Audit & Logging

Our audit logging system captures every action in the platform, providing complete visibility for compliance audits and security investigations:

  • Complete CRUD Logging: Every create, update, delete with before/after state
  • Authentication Events: Login attempts, logouts, password changes, MFA events
  • Security Events: Failed access attempts, rate limit violations, suspicious patterns
  • GDPR Support: Data access logging for Right of Access requests
  • Immutable Records: Audit logs cannot be modified or deleted
  • 7-Year Retention: Meets SOC 2 and FDA requirements

Operational Security

Security Testing

  • Regular penetration testing by third-party security firms
  • Continuous vulnerability scanning
  • Static and dynamic application security testing (SAST/DAST)
  • Dependency vulnerability monitoring with automated updates

Incident Response

We maintain a documented incident response plan with defined roles and procedures. In the event of a security incident, affected customers will be notified within 72 hours as required by GDPR.

Business Continuity

  • Continuous automated backups with point-in-time recovery
  • 30-day backup retention
  • Disaster recovery plan with defined RTOs and RPOs
  • Multi-region deployment options (Enterprise)

Responsible Disclosure

We take security vulnerabilities seriously. If you discover a potential security issue, please report it responsibly:

Security Contact: info@gannetsolutions.com

Please include detailed steps to reproduce the issue. We commit to acknowledging your report within 48 hours and will work with you to understand and address the issue.

Questions?

For security-related inquiries or to request our security documentation:

Gannet Solutions

Email: info@gannetsolutions.com

Website: www.nirmiq.com