Security & Compliance

NirmIQ provides enterprise-grade security infrastructure designed for safety-critical industries including aerospace, automotive, and medical devices.

Enterprise Security Features

Row-Level Security (RLS)

NirmIQ implements database-level multi-tenant isolation using Row-Level Security policies:

Database-enforced isolation: Data from one organization cannot be accessed by another, even if there's an application vulnerability
Automatic filtering: All queries are automatically filtered by organization
Sample project visibility: Sample projects are accessible across organizations for learning

Audit Logging

Complete audit trail for compliance and security investigations:

7-year retention: Meets SOC 2 and FDA 21 CFR Part 11 requirements
Immutable logs: Audit records cannot be modified or deleted
Before/after tracking: Every change captures the previous and new state
User attribution: All actions tied to specific users with IP addresses
Export capability: Download audit logs as CSV for compliance reporting
Security events: Real-time alerts for suspicious activity

Rate Limiting

Intelligent rate limiting protects against abuse:

Endpoint	Limit	Window
Login	5 attempts	15 minutes
API endpoints	100 requests	1 minute
AI features	20 requests	1 minute
Exports	10 operations	1 hour

Compliance Standards

NirmIQ's infrastructure supports compliance with major industry standards:

SOC 2 Type II

CC6.1 Logical Access Controls
CC7.2 System Operations Monitoring
CC8.1 Change Management

ISO 27001

A.12.4 Event Logging
A.9.4 Access Control
A.12.6 Vulnerability Management

FDA 21 CFR Part 11

11.10(e) Audit Trails
11.10(d) Access Controls
11.10(g) Authority Checks

Article 30 Records of Processing
Article 15 Right of Access
Article 32 Security Measures

Industry Standards

ISO 26262: Automotive functional safety with FMEA integration
DO-178C: Aerospace software certification support
IEC 62304: Medical device software lifecycle

Data Protection

Encryption

In Transit: TLS 1.3 for all connections
At Rest: AES-256 encryption for stored data
Backups: Encrypted with secure key management

Authentication

JWT tokens with configurable expiration
Session management with automatic timeout
Role-based access control (Admin, User, Viewer)
Multi-Factor Authentication (MFA) - TOTP-based 2FA
SSO/SAML Integration - Enterprise single sign-on

Digital Signatures

NirmIQ provides FDA 21 CFR Part 11 compliant digital signatures:

Password re-authentication: Every signature requires password confirmation
Content hashing: SHA-256 cryptographic binding to signed content
Audit trail: Complete history of all signatures and verifications
Signature meaning: Captures intent (approval, review, release)

Security Headers

All responses include security headers:

HSTS: Enforces HTTPS connections
CSP: Content Security Policy preventing XSS
X-Frame-Options: Prevents clickjacking
X-Content-Type-Options: Prevents MIME sniffing

Security Monitoring

NirmIQ includes real-time security monitoring:

Failed login detection: Alerts on brute force attempts
Cross-organization access attempts: Logged and alerted
Rate limit violations: Tracked and reported
Suspicious patterns: Automated detection

Best Practices

Use strong passwords: Minimum 12 characters with complexity
Review audit logs: Regular review of security events
Limit admin access: Use least-privilege principle
Keep sessions short: Configure appropriate timeout periods

Questions?

For security inquiries: security@nirmiq.com

Enterprise Security Features​

Row-Level Security (RLS)​

Audit Logging​

Rate Limiting​

Compliance Standards​

SOC 2 Type II​

ISO 27001​

FDA 21 CFR Part 11​

GDPR​

Industry Standards​

Data Protection​

Encryption​

Authentication​

Digital Signatures​

Security Headers​

Security Monitoring​

Best Practices​

Questions?​