Skip to content
Nuro AI Labs
Try HypersaveRead AVALON-2B
Trust · Security · Compliance

Security & compliance.

Frontier research is only useful if the foundations underneath it are boring. We treat security as non-optional infrastructure — audited, documented, and built in from day one.

At a glance
  • Last updated27 April 2026
  • Disclosure window90 days
  • Incident SLA24 hours
  • Pen testAnnual · Feb 2026
Compliance

Audited. Not asserted.

Every certification below has either been completed by a third-party auditor or is in active assessment. No marketing badges.

SOC 2
Active

SOC 2 Type II

Hypersave is SOC 2 Type II audited. Reports available under NDA on request from any Team or Enterprise customer.

ISO 27001
In progress

ISO 27001

Audit underway with completion targeted for Q4 2026. Evidence collection and gap remediation are in their final phase.

GDPR
Active

GDPR (EU)

Full compliance with EU GDPR. EU-based processing options for Enterprise customers. Standard Contractual Clauses on request.

UK DPA
Active

UK Data Protection Act 2018

Registered with the UK Information Commissioner's Office. UK GDPR compliant. Data Protection Officer reachable at privacy@nuroailabs.com.

Our practices

What we actually do.

Four areas. Sixteen specifics. The same posture across Hypersave, Khyaa, and the open-weights research stack.

01

Data

Encryption at rest
AES-256-GCM for every byte of customer data in storage. Per-tenant key envelopes managed via AWS KMS.
Encryption in transit
TLS 1.3 enforced on all public endpoints. HSTS preload. Internal service-to-service traffic over mTLS.
Tenant isolation
Logical isolation by default. Per-tenant database schemas on Team. Dedicated VPC available on Enterprise.
No training on customer data
Customer content is never used to train, fine-tune, or evaluate Nuro AI Labs models. In writing, in every contract.
02

Access

SSO / SAML
Available on Enterprise. Okta, Google Workspace, Microsoft Entra ID, and any SAML 2.0 identity provider.
Role-based access control
Owner / Admin / Member / Viewer roles built in. Custom roles on Enterprise via SCIM provisioning.
Audit logs
Every authentication event, data access, and configuration change logged. 90-day retention on Team. Custom retention on Enterprise.
Hardware-backed MFA
All Nuro AI Labs employees use hardware security keys for production access. No password-only access, anywhere.
03

Incident response

Notification SLA
Customers notified within 24 hours of any confirmed incident affecting their data. Enterprise customers get a named contact.
Public postmortems
We publish a postmortem for every Sev-1 within seven business days. No marketing language. Root cause, timeline, fix.
On-call rotation
24/7 engineering on-call covering all production surfaces. Pager response under 15 minutes.
Tabletop exercises
Quarterly incident-response tabletop exercises. Annual full-scale simulation with external auditor observation.
04

Vulnerability management

Dependency scanning
Continuous SCA across every repository. Known-CVE deployments are blocked at CI. Critical patches deployed within 24 hours.
Static + dynamic analysis
SAST runs on every pull request. DAST runs nightly against pre-prod and weekly against production.
Penetration testing
Annual third-party penetration test. Latest report dated February 2026. Available under NDA on request.
Bug bounty (Q3 2026)
Public bug bounty program launching Q3 2026. Until then, see responsible disclosure below for the private channel.
Responsible disclosure

Found something? Tell us first.

If you believe you've found a security vulnerability in any Nuro AI Labs product or surface, please email security@nuroailabs.com. We acknowledge every report within 48 hours and aim for a triage decision within five business days.

  • Give us a 90-day disclosure window before public release.
  • Don't degrade availability for other users while testing.
  • Don't access, modify, or exfiltrate data that isn't yours.
  • We won't pursue legal action against good-faith research.

A public bug-bounty program is launching in Q3 2026. Until then, qualifying reports will be acknowledged in the public hall-of-fame on this page after the disclosure window closes.

Trust resources

The full paper trail.

Privacy policy

How we handle personal data on this site.

Terms of service

The contract that governs use of our products.

Status page

Live uptime + incident history for every product.

Data Processing Addendum

GDPR-compliant DPA available on request.

Subprocessor list

Current third-party processors and what they do.

Security reports
security@nuroailabs.com

PGP key on request

Privacy questions
privacy@nuroailabs.com

DPA · subprocessors · DPO

Press inquiries
press@nuroailabs.com

Briefings · embargoed coverage

Last reviewed · 27 April 2026