SKYDEFENDED
Legal · Security

Security

Security is not a feature we added — it is the reason we exist. This page describes how we protect the platform and what to do if you discover a vulnerability.

Last updated: March 2026

1. Security Architecture

Zero Trust by design

Every service assumes breach. Network-level trust is never granted implicitly. All inter-service communication is mutually authenticated, encrypted in transit (TLS 1.2+), and authorised through fine-grained policy.

Identity and access

All administrative access requires multi-factor authentication (TOTP). Sessions are short-lived (8h max), bound to the issuing IP range, and invalidated on logout or suspicious activity. Role-based access control with a least-privilege model is enforced across all resources.

Data encryption

Data at rest is encrypted using AES-256. Secrets (API keys, credentials) are stored in a dedicated secrets manager and never in environment variables or version control. Backups are encrypted and tested quarterly.

2. Compliance and Certifications

Our platform is designed and operated in alignment with NIS2, ENS (Esquema Nacional de Seguridad), and ISO 27001 controls. We conduct annual third-party security assessments. Customers in regulated sectors (financial, healthcare, critical infrastructure) may request our compliance documentation under NDA.

3. Secure Development

Security is integrated into every stage of the development lifecycle. We perform automated static analysis (SAST) and dependency vulnerability scanning on every commit. Critical paths undergo manual code review by a security-focused engineer before merge. We maintain a private bug tracker for security findings with SLA-bound remediation timelines.

4. Incident Response

We operate a 24/7 on-call rotation for security incidents. In the event of a confirmed data breach affecting personal data we will notify affected customers and, where required by GDPR, the relevant supervisory authority (AEPD) within 72 hours of becoming aware. Post-incident reports are shared with affected customers.

5. Responsible Disclosure

How to report

If you discover a security vulnerability in any SkyDefended service, please report it to security@nexocyber-networks.com. Encrypt sensitive details using our PGP key (available on request). We ask that you not publicly disclose findings until we have had a reasonable opportunity to investigate and remediate.

What we commit to

We will acknowledge your report within 48 hours, provide a status update within 7 days, and notify you when the issue is resolved. We do not pursue legal action against researchers who act in good faith and follow this policy. We publicly credit researchers who responsibly disclose valid vulnerabilities, unless they prefer to remain anonymous.

Scope

In scope: all production SkyDefended services at *.skydefended.com. Out of scope: denial-of-service attacks, social engineering of staff, physical security tests, and spam. Please do not access, modify or delete customer data beyond what is necessary to demonstrate the vulnerability.

6. Security Contact

For all security matters: security@nexocyber-networks.com. For urgent issues outside business hours, include 'URGENT' in the subject line and we will escalate to on-call within one hour.