Cloud
The default. Managed by NexliOne.
- Provisioned in minutes
- Patched automatically
- Pick a region; data does not leave it
- Customer-managed keys via KMS
- Continuous backup with PITR
Security & deployment
The boring parts. Documented.
NexliOne is built against the controls in SOC 2 Type II, ISO 27001, HIPAA, and GDPR — and ships the technical capabilities those frameworks require. We describe what the platform does. We do not claim certifications we do not yet hold.
Deployment
Three ways to run it. You choose.
Self-host
Your infrastructure. Full feature parity.
- Docker, Kubernetes, or bare-metal Linux
- You control the upgrade cadence
- BYO database, object store, and KMS
- Telemetry can be disabled
- Engineering support via your account team
Air-gapped
No inbound or outbound network. Period.
- Updates as signed bundles imported manually
- No external services in the data path
- Optional offline license / signature verification
- Hardened minimal OS image available
- Whitepaper available on request
Capabilities
What the platform actually does.
Architecture
NexliOne is built around the assumption that you do not implicitly trust the network — every request between modules is authenticated, every action is authorized against a shared identity service, and every piece of data is encrypted by default. There is no "internal" surface.
- Zero-trust internal request authentication (mutual TLS between modules)
- Centralized identity service shared across all 26 modules
- Stateless service tier for predictable scaling and rolling deploys
- Defence-in-depth: WAF, network policies, app-level authorization, and audit log
Encryption at rest & in transit
AES-256 encryption at rest for every module's primary database, object store, and backup. TLS 1.3 in transit, with HSTS and certificate pinning on managed deployments. Customer-managed keys (KMS) supported on cloud and self-host editions.
- AES-256 at rest, TLS 1.3 in transit
- Customer-managed keys via AWS KMS, GCP KMS, or HashiCorp Vault
- Per-tenant key separation in cloud edition
- Encrypted field-level overrides for PII or PHI columns
SSO, SAML, OIDC
Single sign-on via SAML 2.0 or OpenID Connect with any major identity provider. SCIM provisioning for automated user lifecycle. Multi-factor authentication enforceable at the IdP layer or natively if no IdP is in place.
- SAML 2.0 and OIDC (Okta, Azure AD, Google Workspace, Auth0, Ping, etc.)
- SCIM 2.0 user & group provisioning
- Native MFA fallback (TOTP, WebAuthn) if no IdP
- Just-in-time user provisioning on first sign-in
Role- & attribute-based access
Permissions are evaluated per-module, per-record, and per-field. Roles compose: a "Plant Manager" role can read everything inside their plant but nothing outside it. Attribute-based rules let you express constraints like "approvers must be different from authors."
- Fine-grained roles per module
- Record-scoped and field-scoped access control
- Attribute-based rules for separation of duties
- Delegated administration: each module can have its own admin scope
Tamper-evident audit log
Every read, every write, every admin action is recorded to an append-only audit log. Each entry is hash-chained to the previous entry — modifications break the chain and are detectable. Export to your SIEM via syslog, CEF, or JSON.
- Append-only, hash-chained log
- Action, actor, target, and before/after values for writes
- Real-time export: syslog, CEF, JSON, or SIEM webhooks
- Retention policies up to 10 years on cloud edition
Self-host & air-gapped deployment
Self-hosted edition ships with full feature parity. Air-gapped installation supports environments without inbound or outbound internet. Updates ship as signed bundles you import on your schedule.
- Linux + container deployment (Docker, Kubernetes, or systemd)
- Air-gapped install via signed update bundles
- Customer-controlled update schedule
- Telemetry can be fully disabled
Data residency
Choose where the data lives. Cloud edition runs in your selected region (US-East, US-West, EU-Central, CA-Central, AP-Southeast). Self-host puts the data wherever your infrastructure is. Cross-border data transfer is opt-in, never default.
- Five managed cloud regions (US-East, US-West, EU-Central, CA-Central, AP-Southeast)
- Self-host: any region you operate in
- Region pinning per tenant on cloud
- No silent cross-border replication
Compliance posture
NexliOne is designed against the controls in SOC 2 Type II, ISO 27001, HIPAA, and GDPR — and the platform ships the technical capabilities those frameworks require. Certification programs are progressing; we will publish reports as they are issued. We do not claim what is not yet certified.
- Capabilities aligned with SOC 2 Type II controls (CC1–CC9)
- Capabilities aligned with ISO 27001 Annex A controls
- HIPAA-capable architecture with BAA available on request
- GDPR Article 28 data-processing terms available; data subject request workflow built-in
- PCI-DSS-aligned card handling for retail / NexliScan deployments
Backup & disaster recovery
Cloud edition: continuous database snapshots, point-in-time recovery to any moment in the last 35 days, cross-region replicated backups. Self-host edition: scripts for nightly snapshots, on-demand snapshots before upgrades, and tested restore procedures.
- Continuous backup with point-in-time recovery (cloud)
- Cross-region snapshot replication (cloud)
- Tested DR runbook with documented RTO / RPO targets
- Self-host: scripted backup + verification tooling included
Support
Sign up now. We are here if you need help.
Create an account in under 30 seconds. If you need connector help, self-hosting guidance, or module selection, send the support team a note.
- Self-serve signup is live
- Custom connectors at no charge
- Cloud or self-hosted
Email support support@nexlione.com