Security and
Privacy at Nomad

Security governance

Nomad's Security and Privacy team establishes policies and controls, monitors compliance with those controls, and prove our security and compliance to third-party auditors.

Our policies are based on the following foundational principles:
1.
Access should be limited to only those with a legitimate business need and granted based on the principle of least privilege.
2.
Security controls should be implemented and layered according to the principle of defense-in-depth.
3.
Security controls should be applied consistently across all areas of the enterprise.
4.
The implementation of controls should be iterative, continuously maturing across the dimensions of improved effectiveness, increased auditability, and decreased friction.
Security and Compliance at Nomad
Nomad maintains a SOC 2 Type II attestation. Our SOC 2 Type II report are available on our Trust Center.

Data protection
Data at rest

All datastores with are encrypted at rest.
Sensitive data, like passwords and keys, are unidirectionally hashed so that even Nomad cannot read them.
Data at transit

Your data is encrypted in transit for increased peace of mind.
Secret management

At Nomad, data privacy is a first-class priority—we strive to be trustworthy stewards of all sensitive data. Nomad evaluates updates to regulatory and emerging frameworks continuously to evolve our program.
Application secrets are encrypted and stored securely per highest industry standards.
View Nomad’s Privacy Policy for more information.
Product security
Penetration testing
Nomad engages with one of the best penetration testing consulting firms in the industry at least annually. Our current preferred penetration testing partner is Cicilian, one of the leading experts in GraphQL security.
All areas of the Nomad product and cloud infrastructure are in-scope for these assessments, and source code is available to the testers in order to maximize the effectiveness and coverage.
We make summary penetration test reports available via our Trust Center.
Vulnerability scanning
Nomad requires vulnerability scanning at key stages of our Secure Development Lifecycle (SDLC):
Static analysis (SAST) testing of code during pull requests and on an ongoing basis.
Software composition analysis (SCA) to identify known vulnerabilities in our software supply chain.
Mallicious dependency scanning to prevent malware in our software supply chain.
Dynamic analysis (DAST) of running applications.
Periodic network vlunerability scanning.
Continuous external attack surface management (EASM) to discover new externa-facing assets.

Enterprise security
Security education
Nomad provides comprehensive security training to all employees upon onboarding and annually through educational modules within a platform provided by Vanta.

Nomad's ops team shares regular threat briefings with employees to inform them of important security and safety-related updates that require special attention or action.
Secure remote access
Nomad secures remote access to internal resources using modern VPN technology. We also use malware-blocking DNS servers to protect employees and their endpoints while browsing the internet.
Vendor security
Nomad uses a risk-based approach to vendor security, Factors which influence the inherent risk rating of a vendor include:
Access to customer and corporate data
Integration with production data
Potential damage to the Nomad brand
Data privacy
At Nomad, data privacy is a first-class priority—we strive to be trustworthy stewards of all sensitive data. Nomad evaluates updates to regulatory and emerging frameworks continuously to evolve our program.

View Nomad's Privacy Policy