Legal

Security

Last updated: March 2026

Security is foundational to what we do. Freelancers trust Nemu with sensitive financial and client data — we take that responsibility seriously.

Infrastructure

  • Hosting: Nemu runs on Hetzner Cloud (Nuremberg, Germany) and AWS Frankfurt — both ISO 27001 certified data centres within the EU.
  • Uptime: We target 99.9% monthly uptime. Our status page is available at status.nemu.agency.
  • Backups: Full database backups are taken every 6 hours and retained for 30 days. Backups are encrypted and stored in a geographically separate location.

Encryption

  • In transit: All data between your device and Nemu servers is encrypted using TLS 1.2 or higher. We enforce HTTPS on all endpoints.
  • At rest: Database volumes and backup archives are encrypted using AES-256.
  • Passwords: User passwords are hashed using bcrypt with a cost factor of 12. We never store plaintext passwords.

Application security

  • Authentication tokens are short-lived JWTs with a 1-hour expiry, refreshed via secure httpOnly cookies.
  • We enforce rate limiting on all authentication and API endpoints.
  • The Nemu desktop agent processes activity data locally before sending only anonymised, tagged summaries to our servers. Raw file content, keystrokes, or screenshots are never transmitted.
  • We perform automated dependency scanning (Dependabot) and static analysis on every code push.
  • Penetration tests are conducted annually by an independent security firm.

Access controls

  • Internal access to production systems is restricted to a named list of engineers via SSH key authentication with MFA.
  • Database access requires VPN + MFA. No direct public database endpoints are exposed.
  • All internal access is logged and audited quarterly.

Payment security

Nemu does not store credit card numbers or payment details. All billing is processed by Stripe, a PCI DSS Level 1 certified payment provider. Nemu only receives a tokenised payment reference.

Incident response

In the event of a security incident affecting your data, we will notify affected users within 72 hours of becoming aware of the breach, in accordance with GDPR Article 34. We maintain a documented incident response plan that is tested annually.

Responsible disclosure

If you discover a security vulnerability in Nemu, please report it responsibly to security@nemu.agency. We ask that you give us reasonable time to investigate and address the issue before any public disclosure. We do not pursue legal action against researchers acting in good faith.

Contact

For security concerns or questions:
security@nemu.agency

Privacy PolicyTerms of ServiceSecurityCookie Policy