Trust

Where trust lives in the subscription stack

Nami handles the moments that decide whether a subscriber converts, stays, or leaves — which means we handle the data those decisions depend on. Below: the certifications, controls, and documentation enterprise teams need to verify how we do it. Anything else, ask us directly.

Compliance

Certified to the standards your security team already audits against.

Nami's controls are independently verified across the frameworks enterprise procurement teams ask about most. SOC 2 Type II reports are available to customers under NDA.

SOC 2 Type II

GDPR

CCPA

Security posture

How Nami handles uptime, data, and access.

Built for 99.999% uptime

Nami runs on redundant, multi-region cloud infrastructure with active monitoring and a 24/7 on-call rotation. Outages are tracked, communicated, and post-mortemed.

Multi-region redundancy
Real-time monitoring and alerting
Public status page and incident communication

Encrypted in transit and at rest

Subscriber and customer data is encrypted using industry-standard protocols. Regional data residency options are available on enterprise contracts.

TLS 1.2+ in transit
AES-256 at rest
Regional data residency on request

Identity, role, and audit by default

SAML SSO, role-based permissions, and audit logs are available across every Nami workspace, with finer-grained controls on enterprise plans.

SAML 2.0 SSO
Role-based access control (RBAC)
Workspace-wide audit logs

Documentation

Documentation for your security review.

Source documents and processes for procurement, legal, and security teams.

Subprocessors

Third-party services Nami uses to deliver the platform, with their roles and locations.

View subprocessors

Vulnerability Disclosure

How to report a security issue and what to expect from us in response.

View policy

Application Standards

The development, review, and deployment standards every change to Nami passes through.

View standards

Data Processing Agreement

Standard DPA available on request for customers operating under GDPR, CCPA, or other applicable regulations.

Request DPA

Questions we hear most

Frequently asked

Where is subscriber data stored?

Nami stores data primarily in US-based cloud infrastructure, with regional data residency available for enterprise contracts in the EU and other jurisdictions on request. Specifics for your subscription configuration are documented in the DPA.

How quickly does Nami notify customers of a security incident?

Material security incidents are communicated to affected customers without undue delay — generally within 72 hours of confirmation — in accordance with our DPA and applicable regulatory obligations.

How often are penetration tests performed?

Nami engages independent third parties to perform application and infrastructure penetration tests on at least an annual basis. Summary reports are available to customers under NDA.

How are subprocessor changes communicated?

Updates to the subprocessor list are published at nami.ml/legal/subprocessors. Customers who have requested advance notification under their DPA receive it before new subprocessors begin processing data.

Does Nami support SAML SSO and SCIM?

SAML 2.0 SSO is supported on enterprise plans. SCIM provisioning is available on request for organizations standardized on identity-provider lifecycle management.

Need our security package for procurement?

Send a quick note about your timeline and we'll route you to the right person on the security and legal team.

Request security package Book a demo