Security and compliance
Built for environments where data cannot leave.
NexDiscovery is deployed inside your VPC or on-premises and connects with read-only credentials. No data is sent to NexDiscovery, no external model is called, and the working data is formally disposed of at the end of the engagement.
No financial commitment at this stage
Security principles
Six principles that remove the egress event.
In-environment by design
The discovery engine deploys inside your VPC or on-premises. It does not run in NexDiscovery infrastructure.
No external models
No call is made to ChatGPT, Claude, or any external inference provider. There is no token cost because there is no external inference.
Read-only, scoped access
Connectors authenticate with read-only credentials, scoped to the fields agreed during sprint design. Nothing outside that scope is touched.
Full audit trail
Every read is logged. Your team retains the logs and can review what the engine read, when, and why.
Formal data disposal
Any working data is disposed of under a formal process at the end of the engagement, with written confirmation.
No training on your data
Your data produces findings for you and is never used to train any model, internal or external.
Regulatory framework
How the architecture maps to the reviews you already run.
Most compliance reviews are triggered by data leaving your control. Because no data leaves, the dominant triggering event does not occur. Your team validates this against your specific obligations.
| Framework | What it requires | How NexDiscovery addresses it |
|---|---|---|
| HIPAA (US healthcare) | A Business Associate Agreement is required when PHI is disclosed to a vendor. | No PHI is transmitted to NexDiscovery. The engine runs inside the covered entity's environment, so the triggering disclosure does not occur. |
| GDPR (EU) | Transfers of personal data to a processor must meet adequacy and processor-agreement requirements. | No personal data is transferred outside the controller's environment. Article 28 processor obligations are addressed by deployment topology rather than cross-border transfer. |
| OCC / FDIC third-party risk | Banks must perform vendor due diligence when a vendor handles bank data outside the bank's control. | Bank data never leaves the bank's environment. The standard third-party data-handling assessment does not apply because no third-party handling occurs. |
| SOC 2 / ISO 27001 alignment | Customers expect vendors to operate under recognized security control frameworks. | NexDiscovery operates under controls aligned with SOC 2 and ISO 27001. Because data stays in your environment, the dominant security boundary is yours, not ours. |
AI transparency
An AI system your reviewer can actually approve.
The reasons AI tools get blocked in finance, healthcare, and PE are well-known: data leaves the environment, an external model trains on it, the output cannot be explained. NexDiscovery is designed so none of those conditions are present.
No external model
All inference runs inside your environment. There is no third-party processor to review.
No training on your data
Your data produces your findings, then is disposed of. It is never used to improve any model.
Explainable output
Every finding traces back to the specific source records that produced it, with a confidence level.
Frequently asked questions
The questions your security and compliance teams ask first.
Discovery, inside your walls.
Bring your security and compliance leads to the scoping call. We answer their questions directly.
No financial commitment at this stage