Security & Trust
How we isolate workloads, protect data, and keep you in control of where it goes.
Last updated June 16, 2026
Our approach
Nimbus Land runs your applications, data, and AI agents on Canadian-based infrastructure that we operate. Security is built into the platform's architecture rather than bolted on: every workload runs in its own isolated boundary, network access is denied by default, and every action in the control plane is recorded. This page summarizes how the platform protects your data and how you stay in control of where it goes.
Data residency & sovereignty
Your applications and data are hosted on infrastructure located in Canada, and customer content is stored in Canada by default.
We do not transfer your data outside Canada without your permission. We believe sovereignty should be the default, not the exception — but we also believe you should be free to choose. Some optional capabilities rely on services that operate outside Canada (for example, third-party AI model providers such as OpenAI). These integrations are off by default and are only used when you or your organization explicitly enable them. When you do, you are making a deliberate choice, and we make it clear which data leaves Canadian jurisdiction as a result.
Tenant isolation
Multi-tenant isolation is the core of the platform's security model:
- Namespace-per-app boundary. Each application runs in its own isolated namespace, which is the security boundary between workloads. Resources are scoped to that boundary and are never shared implicitly.
- Network policies enforced by default. Cluster networking enforces tenant network policies so workloads cannot reach each other across tenants unless access is explicitly granted.
- Sandboxed build & agent execution. Untrusted code — including buildpack builds and AI agent workloads — runs in a hardened sandbox (gVisor) that isolates it from the host kernel.
- Hardened workload configuration. Pods run with a restricted security context and resource quotas, limiting privileges and blast radius.
Encryption
- In transit: All traffic to the platform is served over TLS, with certificates automatically provisioned and renewed. HTTPS is the default for every app, including custom domains.
- At rest: Data is stored on managed Canadian infrastructure with encryption at rest provided at the storage layer.
Access control & auditability
- Authentication is required for all control-plane access.
- Data and resources can be scoped to teams, roles, and individual apps — never over-exposed by default.
- Every meaningful action — deployments, configuration changes, data access — is recorded in an audit trail so you can see what is running, who built it, and what it touches.
Availability & backups
We operate the platform with monitoring and aim for high availability. We strongly recommend that you maintain your own backups of critical Customer Content. Specific availability and recovery commitments, where offered, are described in your plan or service-level agreement.
Sub-processors
We use a small set of vetted service providers to deliver the Service. Each is bound by contractual confidentiality and data-protection obligations. The table below lists our current sub-processors. Optional, customer-enabled integrations are listed separately because they are only engaged when you turn them on.
| Provider | Purpose | Location |
|---|---|---|
| DigitalOcean | Cloud infrastructure & hosting | Toronto, Canada |
| Stripe | Billing & payment processing | United States |
| Resend | Transactional & account email | United States |
Optional, customer-enabled integrations
| Provider | Purpose | Location |
|---|---|---|
| Third-party AI providers (e.g. OpenAI) | AI model inference — only when you explicitly enable it | Outside Canada |
Compliance posture
Nimbus Land is built to support our customers' obligations under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), with Canadian data residency, access controls, and audit logging. A Data Processing Agreement (DPA) is available on request for customers who need one. We will publish details of any formal certifications here as we obtain them.
Reporting a vulnerability
We welcome reports from security researchers. If you believe you have found a vulnerability, please email security@nimbusland.ca. Please act in good faith, avoid privacy violations and service disruption, and give us a reasonable opportunity to address the issue before public disclosure.