Security & compliance

Your data never leaves your cloud.

Every component — pipelines, AI model, vector index — runs inside your subscription. We hold only metadata.

Choose your cloud

Where your data lives

Compliance

Compliance by design

HIPAA

In-tenant design means PHI never leaves your environment. Microsoft's BAA covers your Azure subscription automatically.

SOC 2 Type II

NucleoBank control plane is SOC 2 Type II audited. Report available on request — in progress.

NIST 800-53

Architecture aligns with NIST 800-53 controls for federal and public safety use cases.

Azure Security Baseline

Deploys with Azure Security Center recommendations enforced by default.

RBAC / Least Privilege

NucleoBank receives a scoped custom role on a single resource group. Nothing more.

Entra ID

Multi-tenant Entra authentication. Your identity provider. Your policies.

All compliance certifications apply regardless of cloud environment. Azure · AWS · GCP all carry HIPAA eligibility, SOC 2, and ISO 27001.

Built on Microsoft Azure

The only cloud with a comprehensive compliance portfolio spanning 100+ certifications including FedRAMP, HIPAA, and HITRUST. NucleoBank runs entirely inside Azure — your Microsoft relationship and its certifications extend to every NucleoBank component.

Microsoft Trust Center →

Oracle Cloud Infrastructure and others — coming soon

Credentials

Your secrets stay in your vault

01

You grant consent

NucleoBank receives a scoped service principal with access to one resource group only.

02

Credentials go to Key Vault

NucleoBank writes connector credentials to your Azure Key Vault. We never store them.

03

We hold only the secret name

NucleoBank's database stores "kv://src-ehr-cred" — a reference, not a value. Your vault holds the key.