A note from ourfounder. NUL Systems is a governance, risk, and compliance platform. The trustyou place in us to handle your policies and transaction data is not somethingwe take lightly. This page describes our current security posture, thepractices we follow today, and the roadmap we are executing as we scale. Wewould rather tell you exactly where we are than overstate our maturity

1.  Our Security Principles

We operate NUL Systems according to four principles:

•  Leastprivilege. Every employee and system has only the access needed to do itsjob, and nothing more.

•  Defense in depth. Security is applied in layers so that no single failure exposescustomer data.

•  Secure by default. Encryption, access controls, and monitoring are configured fromthe start, not added on later.

•  Continuous verification. We treat compliance as an ongoing practice rather than aone-time audit. We use NUL itself to monitor our own governance posture.

2.  Infrastructure and Hosting

NUL Systems is hosted on Fly.io, which maintains world-classphysical and network security, including SOC 2 Type II, ISO 27001, and otherindustry-standard certifications. Our infrastructure is hosted in the US-Eastregion (Ashburn, Virginia).

We use modern infrastructure practices including containerorchestration, infrastructure-ascode, and automated deployment pipelines.Network traffic is isolated using virtual private networks and security groups,and access to production infrastructure is limited to authorized engineersthrough multi-factor authentication.

3.  Encryption

3.1  Encryptionin Transit

All data transmitted between your browser, our APIs, and ourinfrastructure is encrypted in transit using TLS 1.2 or higher. We enforceHTTPS across all endpoints and do not support insecure protocols.

3.2  Encryptionat Rest

Customer Data stored in our systems, including databases,object storage, and backups, is encrypted at rest using AES-256 encryption.Encryption keys are managed by each infrastructure provider’s key managementservice (KMS) with strict access controls; we do not layer application-levelencryption on top.

3.3  Passwordsand Credentials

User passwords are never stored in plaintext. We hashpasswords using industry-standard algorithms (bcrypt or equivalent) with uniquesalts. API keys and secrets are stored in dedicated secret management systems.

4.  Data Isolation

NUL Systems is a multi-tenant SaaS platform operating on ashared-database, shared-schema model. Customer Data is logically isolated by organization_idscoping enforced in the application and authentication layers: everyauthenticated request is bound to the caller’s organization via a signed JWT,and every tenant-scoped query filters on that organization ID. We additionallyuse Postgres Row-Level Security as a defense-in-depth control at the databaselayer.

Access to Customer Data by our own team is limited, logged,and auditable.

5.  Access Controls

5.1  UserAccess

Customer accounts require a verified email address. Wesupport strong passwords and plan to offer single sign-on (SSO) andmulti-factor authentication (MFA) as the Service matures. Session tokens expireafter a period of inactivity.

5.2  InternalAccess

Access to production systems, customer data, and sensitiveinfrastructure is restricted to authorized personnel on a least-privilegebasis. All internal access requires multi-factor authentication and is loggedfor audit purposes. We do not access Customer Data except as necessary toprovide support or investigate an operational issue, and only with appropriateauthorization.

6.  Backups and Disaster Recovery

Backups of Customer Data are managed by our infrastructureproviders. Our managed Postgres performs continuous write-ahead log (WAL)archival and daily snapshots; our managed graph database (Neo4j Aura) performsdaily snapshots. Backups are encrypted and stored in a region separate from theprimary. We maintain a disaster recovery plan with defined recovery time andrecovery point objectives, and we will conduct and document our first end-to end restore drill before general availability.

7.  Monitoring and Incident Response

We continuously monitor our infrastructure and applicationfor availability, performance, and security signals. This includes:

•       Application performance monitoring and errortracking

•       Infrastructure logging and alerting

•       Unusual access pattern detection

•       Automated vulnerability scanning of our codebaseand dependencies

We maintain an incident response plan covering detection,triage, containment, eradication, recovery, and post-incident review. In theevent of a security incident affecting your data, we will notify you withoutundue delay and in accordance with applicable law.

8.  Secure Development Practices

We follow modern secure software development practices:

•       Code review required before changes merge toproduction

•       Automated testing and continuous integrationpipelines

•       Dependency vulnerability scanning and automatedupdates

•       Separation of development, staging, andproduction environments

•       Version-controlled infrastructure andconfiguration

9.  Subprocessors

We use a limited set of trusted third-party service providers("subprocessors") to operate NUL Systems. Each subprocessor isevaluated for security and contractually bound to appropriate data protectioncommitments. Our current subprocessors include:

•       Stripe —payment processing (SOC 1, SOC 2, PCI DSS Level 1)

•       Fly.io —application hosting and managed Postgres, US-East region (SOC 2 Type II, ISO27001)

•       Supabase —managed Postgres database (SOC 2 Type II)

•       Neo4jAura — managed graph database for the policy graph (SOC 2 Type II)

•       Resend —transactional email delivery

We update this list as our service providers change.Material changes will be communicated to active customers.

10.  Compliance and Certifications

Where we are today. NUL Systems is inits pre-audit phase. We are actively building the control environment requiredfor SOC 2 Type I, with a target kickoff alongside our first enterprisedeployment. We will move to Type II within twelve months of Type I issuance. Inthe meantime, our hosting providers (listed in Section 9) maintain SOC 2 TypeII, ISO 27001, and other industry certifications that underpin the platform.

Our compliance roadmap:

•       Today: Operatingon SOC 2 / ISO 27001 certified infrastructure; internal controls aligned to SOC2 Trust Services Criteria

•       Nearterm: SOC 2 Type I formal audit kickoff with our first enterprise customer

•       Within 12months of Type I: SOC 2 Type II report issuance

•       Evaluating:ISO 27001, HIPAA readiness, and additional frameworks as customer demanddictates

11.  Your Role in Security

Security is a shared responsibility. We protect the Serviceand your data at the infrastructure and application level. You are responsiblefor:

•       Choosing a strong, unique password for youraccount

•       Keeping your credentials confidential

•       Enabling multi-factor authentication whenavailable

•       Managing who has access to your account andreviewing access regularly

•       Notifying us immediately of any suspectedunauthorized access

12.  Responsible Disclosure

We welcome reports from security researchers and thebroader community. If you believe you have discovered a security vulnerabilityin NUL Systems, please report it responsibly: Contact: security@delphiinsights.us

We ask that you give us a reasonable time to investigate andremediate before public disclosure. We will acknowledge your report promptlyand keep you informed of our progress. We do not currently operate a paid bugbounty program, but we recognize researchers who report in good faith.

13.Questions?

We believe transparency is the foundation of trust. If youare evaluating NUL Systems and need more detail on any of the above for avendor security review, procurement process, or internal risk assessment, weare happy to help.

Delphi Insights, LLC

Security inquiries: security@delphiinsights.us

General contact: info@delphiinsights.us