☁️ Cloud Service Provider (CSP) Security Responsibilities and Configuration Standards

1. Purpose

This document defines how Nemu Inc. leverages Cloud Service Providers (CSPs) to host and operate services securely.
It outlines the delineation of security responsibilities between Nemu Inc. and each CSP and establishes configuration standards for systems and components deployed in the cloud.

2. Scope

This policy applies to all cloud-based infrastructure, platforms, and services used by Nemu Inc., including:

Supabase – Database, storage, authentication, and real-time services
Render – Application hosting, CI/CD, and runtime environment
Google Workspace – Email, file storage, collaboration, and DLP
Other integrated services – Stripe, Sentry, GitHub Actions, and other managed APIs

3. Shared Responsibility Model

CSP	CSP Responsibilities	Nemu Inc. Responsibilities
Supabase	Manages physical infrastructure, Postgres patching, encryption at rest and in transit, and isolation of tenant data.	Configure Row Level Security (RLS), manage API keys, enforce access controls, review audit logs, and ensure proper data classification.
Render	Provides managed hosting, TLS termination, full-disk encryption, automated backups, and secure network isolation.	Secure application code, configure environment variables, manage secrets, and apply least-privilege permissions on Render services.
Google Workspace	Ensures secure authentication, DLP controls, encryption of email and files, and account protection features.	Enforce MFA for all users, configure DLP rules, manage data sharing policies, and review access logs.

4. Security Policies and Controls

4.1 Access Control

All CSP consoles (Supabase, Render, and Google Admin) require Multi-Factor Authentication (MFA).
Administrative access is granted only to authorized personnel under the principle of least privilege.
Access rights are reviewed periodically and immediately revoked for offboarded users.

4.2 Encryption

At Rest: All data stored in Supabase and Render is encrypted using CSP-managed keys (e.g., AES-256).
In Transit: All communication uses TLS 1.2+ (sslmode=require enforced for Postgres where applicable).
Backups: Encrypted by CSP providers and stored in secure cloud environments.

4.3 Configuration Management

Environments (production, staging, development) are defined via version control and automated deployment pipelines where feasible.
Configuration changes undergo peer review and approval before deployment.
Default credentials and unnecessary services are disabled by default.
Systems adhere to vendor-recommended security baselines and relevant industry guidance.

4.4 Logging and Monitoring

Supabase logs authentication, queries, and storage access events.
Render provides build, deploy, and runtime logs accessible only to administrators.
Alerts for failed logins, permission changes, or unusual access activity are enabled where supported.

4.5 Vulnerability Management

CSPs are responsible for maintaining and patching underlying infrastructure.
Nemu Inc. applies application-level patches, dependency updates, and container scans regularly.
Critical vulnerabilities are remediated as quickly as feasible based on severity and exposure.

5. Compliance and Audit Alignment

CSP	Compliance and Certifications (Example)
Supabase	Encryption at rest and in transit, cloud provider SOC 2/ISO-aligned infrastructure.
Render	SOC 2 Type II certified managed hosting with encrypted volumes and TLS.
Google Workspace	SOC 2 Type II, ISO 27001, and GDPR-aligned controls, including DLP and advanced security features.

Nemu Inc.’s internal controls are designed to align with industry frameworks such as SOC 2 Trust Services Criteria and ISO/IEC 27001:2013.

6. Review and Maintenance

This document is reviewed annually or upon any significant infrastructure or CSP change.
Security configurations and access permissions are validated during periodic internal security reviews.

7. Contact

For questions or incidents related to CSP security, contact: Security/Support Contact: support@mynemu.com