Security
Last updated: July 9, 2026
This page describes the security measures that exist today for the Nomos operator console and the data our customers put in it. It lists only what is in place; nothing here is aspirational.
1. Where data lives
Warehouse operational data is hosted on Google Cloud in the European Union, in the Frankfurt region (europe-west3), and stays there. Storage is encrypted at rest by the platform.
2. Encryption in transit
All connections use HTTPS with a minimum of TLS 1.2; older TLS versions are rejected. Plain HTTP requests are redirected to HTTPS, and haladir.com instructs browsers to use HTTPS on every future visit (HSTS).
3. Access control
There is no self-serve sign-up. Console accounts are created by invitation only, one per operator, and multi-factor authentication is supported. Actions taken in the console are recorded in an action log attributed to the operator who took them.
4. How the software is tested
Every change reaches production through a pull request with automated checks. Three kinds of security testing run continuously:
- Static analysis (CodeQL) scans the JavaScript/TypeScript and Python code on every change and weekly.
- Dependency scanning (osv-scanner) checks all locked dependencies against known-vulnerability databases on every change and weekly.
- Dynamic scanning (OWASP ZAP) runs a baseline scan weekly against a served build of the console.
Dependabot opens security updates for dependencies automatically, and secret scanning runs in CI.
5. Subprocessors
Four providers handle customer data: Google Cloud (hosting, EU), WorkOS (sign-in, US), OpenRouter (assistant inference, US, only when the assistant is used), and Discord (optional notifications, US, only when a customer enables the integration). Their exact roles are described in the Privacy Policy.
6. Security program and certifications
Haladir maintains written, management-approved security policies covering access control, incident response, data management, cryptography, and vendor management, reviewed at least annually.
Haladir does not currently hold a SOC 2 report or an ISO 27001 certificate, and we will not claim either until an independent audit says so.
7. Reporting a vulnerability
If you believe you have found a security issue in our software or infrastructure, email access@haladir.com. We read every report and will respond to you.