TRUST CENTER

Security is the product, not a feature.

Vigil Nexa is built to defend enterprise SOC environments — a strict CSP, per-request script nonce, and defense-in-depth headers on day one. This page describes the posture we hold and the channel for reporting a vulnerability to us directly.

Private beta — actively onboarding design partners
SOC 2 Type II: Q4 2026 target — tracked publicly

What ships by default

Six trust claims the codebase backs up today.

Each card below maps to a concrete control the platform ships now. Prose that resembles a contractual claim carries an explicit watermark so counsel can specialize it during the legal-review sweep.

TLS 1.3 for data in transit

All platform traffic uses TLS 1.3 with modern cipher suites; cloud-to-on-prem ingest channels are encrypted end-to-end. Self-signed certificates are rejected; certificate rotation is automated.

KMS-managed secret storage

Secrets are never persisted in plaintext configuration. Every secret read at runtime resolves through a dedicated key-management system with audit logging.

Role-based access control with SSO, SAML, and SCIM

Operator access is gated by role-based access control; identity is delegated to your identity provider through SAML single sign-on and SCIM provisioning so the full joiner-mover-leaver lifecycle is owned by your directory.

Audit log export capability

Every alert, response action, and configuration change is captured in the audit log. Operators can export the log to their SIEM or to long-term storage in a portable, machine-readable format.

Deployment model matrix

Three deployment models ship today — cloud, hybrid, and on-prem — backed by the on-prem ingestion agent and the hybrid detection console.

ModelStatusWhat ships today
Cloud
Shipped today
Hosted console and SOC surface for design partners during the private beta.
Hybrid
Shipped today
On-prem ingestion agent feeds the cloud console — substantiated by the on-prem ingest route.
On-prem
Shipped today
Edge-side telemetry collection via the on-prem ingestion agent shipped in the platform.

SIEM, ticketing, and SOAR connector support

Alert and response traffic is dispatched through the connector matrix the playbook engine fires today. Connectors marked Supported by design ship through the same dispatcher surface — connector mappings are available on request for design partners.

  • SplunkEvents indexed for correlation via the SIEM webhook URL cited in the use-case grid.
    Shipped
  • ServiceNowTickets opened on escalation via the ticketing webhook URL cited in the use-case grid.
    Shipped
  • PagerDutyOn-call triggered via the SOAR play-trigger path; dispatcher body shape is PagerDuty-shaped.
    Shipped
  • DatadogSignals correlated with downstream process anomalies via the SIEM webhook URL.
    Shipped
  • SentinelConnector mapping is available on request for design partners.
    Supported by design
  • QRadarConnector mapping is available on request for design partners.
    Supported by design
Responsible disclosure

Found a vulnerability? Tell us directly.

Email vigilnexa@polsia.app with the subject Security Disclosure. We'll acknowledge within 5 business days and triage with the engineering team — no public disclosure coordination required for a first contact, just a clear repro.

For design partnerships, enterprise sales, or general inquiries, use the regular contact form.

Vigil Nexa is in active private beta; SOC 2 Type II is on the roadmap for Q4 2026 — track progress on /about#roadmap.