Since Nexo’s inception in 2018, we have always taken pride in the security of our systems and maintained their utmost integrity, ensuring unmatched protection for our clients' data. Our top-tier security infrastructure has consistently thwarted data breaches, leading to a flawless track record.
Most recently, Nexo obtained the SOC 2 Type 2 Compliance certification, an esteemed recognition issued by the American Institute of Certified Public Accountants (AICPA). This milestone, shared only by a select few in the crypto industry, is testament to Nexo’s adherance to the highest standards of security. The independent SOC 2 evaluation was conducted under the supervision of A-LIGN, a premier cybersecurity firm which counts T-Mobile and Alloy among its clients. This accomplishment reaffirms our unwavering commitment to fundamental principles of trust, including data security, and compliance with privacy regulations.
Fittingly, earlier in August, Nexo Co-Founder and Managing Partner Antoni Trenchev hosted the company’s Chief Information Security Officer Milan Velev to reveal the hard work that goes behind the scenes and what it takes to achieve an impeccable track record in client data security.
Take a look at the August AMA session recap and key takeaways:
Nexo’s impeccable track record, performance, and proactive measures to keep up with the dynamic crypto and security landscape are a testament to its commitment to data protection and evolving security needs.
As the world of cyberattacks evolves, blending both new and longstanding threats, Nexo's rigorous internal systems, bolstered by independent audits and third-party certifications, guarantee top-of-the-line protection of client data.
Beyond vigilant infrastructure monitoring, Nexo's meticulously crafted processes and procedures are fundamental to a successful information security governance program, seamlessly integrated into the daily tasks of the Information Security department.
Q (02:58): How do certificates, licenses, audits and attestations enhance the security posture of a crypto company and what safeguards are implemented to prevent potential vulnerabilities in these areas?
Antoni: Licenses address regulatory risks and uncertainty. Third-party confirmations in the face of audits and attestations are great tools, but not without their limitations. You constantly have to be on the lookout for how to do things better, because the space is evolving, the needs of a crypto company are evolving.
The most important metric of all is past performance – how a company has been handling crises, bear markets, calamities – of which there was no shortage during Nexo’s or the blockchain’s history. It is the most important metric to extrapolate how a company might be performing in the future.
At the end of the day, new challenges, needs and exploits will come about. The ultimate test as to how successful any company is, is looking at the past, the challenges and all the right things that we did in 2022 – I like to think that this involves skill. We have done one of the finer jobs in crypto – for those of you that are exploring Nexo for the first time, you can look at the track record and make your own conclusion.
Milan: An independent audit is extremely important, because it could identify loopholes in the information security posture of an organization. That's why we are extremely proud that we have completed the SOC 2 Type 2 audit with no exceptions whatsoever. This is another validation of our efforts, that we are doing and achieving what we are saying.
Q (08:15): Do you have documented technical and organizational measures governing the protection of personal data while being in transit, used, modified, stored, and deleted.
Milan: Absolutely, we do. Our information security program relies on a strong and continuously evolving set of information security policies and procedures. These policies and procedures have been verified by achieving previously our ISO 27001 certification and of course, successfully completing the SOC 2 Type 2 audit with no exceptions. We firmly believe that well-documented processes and procedures form the foundation of every successful information security governance program, so we apply this principle to our day-to-day tasks.
Q (18:30): What is your biggest worry about the current crypto ecosystem? And how do you approach this within Nexo’s product offering?
Milan: The crypto space has been an attractive target for cyber criminals. We are tackling the threats with a proactive approach and we have implemented a cutting-edge cyber threat intelligence program, which allows us to stay ahead of attackers. We also apply industry-renowned practices for application security in the development of our products in static and dynamic application security testing. We conduct regular vulnerability assessments, internal and external penetration tests, among other measures. We are working closely with our development teams in order to provide our customers with the most secure products on the market.
Crypto has introduced new types of attacks like crypto jacking, flash loan attacks, earth pool attacks, but there are some old exploits – social engineering and phishing attacks. We are aware of new trends, but we also remain extremely cautious about the old ones.
Q (22:33): How does Nexo ensure the protection and privacy of user data in the face of emerging cybersecurity threats and constantly evolving hacking techniques?
Milan: We rely on multiple layers of defense in our infrastructure by implementing the best solutions on the market. We encrypt our customers’ data at rest and in transit using the industry's most recognized algorithms, which makes them impossible to be cracked at this point. We have created a cyber threat intelligence program, which incorporates the usage of commercial and open-source tools. We are also monitoring dark web forums and cooperating with the leading security researchers in the crypto space. Our efforts have been recognized by the SOC 2 Type 2 certification and others, as we mentioned. We are currently in the process of getting additional certifications in order to demonstrate our continued commitment to safeguarding our clients’ data.
Getting SOC 2 Type 2-certified is a standard in the IT industry that ensures that an organization's systems and controls are designed and operate effectively in order to protect sensitive data as well as the privacy and security of our clients’ information. This is not a one-time effort – we are going to go through this process for the years to come in order to demonstrate time and again our commitment to the security and privacy of our clients’ data.
Q (25:54): How did the Hacken smart contract auditor rate the Nexo non-custodial wallet with a perfect 10 out of 10 score in their independent audit?
Milan: Smart contracts are frequently audited externally – a requirement that is deeply ingrained in the DeFi universe and shows one is always prepared to undergo an examination. That's why we chose Hacken. External, independent smart contract audits are extremely important to us and should be important to our clients by extension, because this is additional verification – this is something that we wanted to do and we are really happy that we received such a score.
Q (28:50): What measures do you take to protect against distributed denial of service attacks (DDoS) and ensure platform availability?
Milan: Тhe distributed denial of service attack, the so-called DDoS, has been a significant threat to every organization for a while now, especially for the ones in the financial industry. It is a type of attack where hackers send huge amounts of malicious traffic to an application in order to disturb its availability and prevent authorized users from accessing it. We have dedicated significant efforts to providing non-stop access to our platform. We also implement dedicated DDoS solutions to prevent the most sophisticated and advanced such attacks in our cloud infrastructure, web application firewall, and also use advanced DDoS protection on our CDN solution with rate limiting capabilities.
Q (37:07): In the event of a security breach, what steps will you take to notify and assist affected users?
Milan: Our top-of-the-line security infrastructure boasts a perfect track record, preventing code and data leaks and breaches. We have an incident response program in place that is regularly tested – its practicality and credibility has been certified by our ISO 27001. We also have a security operation center department which monitors 24/7. Our communications team is available 24/7 and in case of an incident or a security breach, we will follow the procedures that are described in our response program.