Legal

Nesta Security Overview

A practical overview of the safeguards Nesta uses to protect accounts, customer data, and public audit workflows.

Effective November 29, 2024Last updated May 4, 2026

1. Overview

This Security Overview describes the general safeguards Nesta uses to protect the Services. It is informational and may change as our product, infrastructure, and vendors evolve.

We do not currently use this page to claim SOC 2, ISO 27001, HIPAA, PCI DSS, or any other formal certification unless expressly stated in a signed agreement or current security report.

2. Hosting and Infrastructure

Nesta uses managed hosting, database, and application infrastructure providers to operate the Services. These providers are listed where applicable in our Subprocessor List.

Security controls may include:

  • managed infrastructure controls;
  • environment-separated configuration;
  • HTTPS/TLS for data in transit;
  • database access restrictions;
  • deployment and access logging; and
  • backup and recovery practices.

3. Access Controls

We use access controls designed to limit employee, contractor, and vendor access to systems and information based on business need.

Customers are responsible for:

  • assigning appropriate users and roles;
  • removing access for former employees and contractors;
  • protecting credentials and connected accounts; and
  • notifying us promptly of suspected unauthorized access.

4. Connected Accounts

Nesta may connect to third-party accounts such as Google, WordPress, and advertising platforms at customer direction.

Customers remain responsible for permissions, billing controls, advertising budgets, platform compliance, and connected account governance.

5. AI and Public Audit Data

AI features and public audits may use third-party providers and public or licensed data sources. We design these workflows to use the information needed to provide the requested feature and to avoid using restricted Google API data in ways prohibited by applicable Google policies.

Public audit result links and report tokens should be treated as private links.

6. Incident Response

If we become aware of a security incident affecting personal information or Customer Personal Information, we will investigate and provide notices as required by law, our agreements, and applicable data processing terms.

7. Vulnerability Reports

If you believe you have found a security issue involving Nesta, contact support@nesta.so with enough detail for us to investigate. Do not access, alter, download, or disclose data that does not belong to you.