Privacy Statement
v1.0 — draftLast updated: 27 May 2026
Nexus Codex Platform Privacy Statement
Last updated: 27 May 2026
This Privacy Statement explains what personal and organisational data the Nexus Codex Platform collects, how it is stored and processed, who has access to it, and what rights you have. It covers all products published under the Nexus Codex Platform, including PBI Visuals (live), Themis (in development), ShadowVector (in development), Gaia (in development), and any future AppSource listings under the Codex Platform Entra app registration.
Contents
- Publisher Identity
- Compliance Baseline
- What We Collect
- Where Data Is Stored
- Who Processes Your Data
- Tenant Isolation
- Customer Rights
- Data Retention
- Sub-processor Changes
- Notifiable Data Breaches
- Cookies and Sessions
- Children and Sensitive Data
- Governing Law and Dispute Resolution
- Contact
Publisher Identity
Nexus Codex is operated by a sole trader registered in South Australia, Australia.
- Trading name: Nexus Codex
- Legal entity: Sole trader — South Australia
- Business address: Ferryden Park, SA 5010, Australia
- Microsoft Partner Center ID: 7098869
- Location Partner ID: 7098870
- Programme membership: Microsoft AI Cloud Partner Program (active), ISV Success (enrolled 2026-05-27), Marketplace Rewards
Compliance Baseline
This Privacy Statement is designed to meet the requirements of:
- Australian Privacy Principles (APP) under the Privacy Act 1988 (Cth) — applicable because the publisher is an Australian sole trader.
- General Data Protection Regulation (GDPR) — applicable where customer end-users are in the EU/EEA, regardless of the publisher's location.
- Microsoft AppSource Responsible AI requirements — covered in the AppSource submission declarations.
Where required by either regime, additional details on lawful basis for processing, controller / processor designations, and international data transfer mechanisms are provided in the relevant sections below.
What We Collect
We collect only the data necessary to deliver the platform's features. Collection happens in three ways: through Microsoft Entra ID sign-in, through information you enter in the product, and through the AI pipeline that processes your requests.
Data from Microsoft Entra ID sign-in
When you sign in, we read data from Microsoft Graph based on the consent you or your administrator grant:
| Data | Scope required | Purpose |
|---|---|---|
| Display name, UPN, email, Entra object ID, job title | User.Read (default) |
Identify you and personalise the experience |
| Your Microsoft 365 / Power Platform / AI Builder licence assignments | User.Read (default) |
Determine which features to show |
| Your Entra directory roles and group memberships | Admin consent required | Detect your access tier |
| Your organisation's licence inventory (tenant-level SKUs) | Admin consent required | Validate tenant-wide entitlements |
| Power Platform environment IDs, names, types, and regions | Opt-in discovery | Show you the right environments |
| Dataverse table names (schemas only, not row data) | Explicit "discover columns" opt-in | Help design workflows |
| SharePoint site URLs you can write to | Sites.Read.All opt-in |
Suggest deployment targets |
We never collect Dataverse row contents, SharePoint document contents, or any M365 mail, Teams, or OneDrive content. We request only the scopes needed for the feature you are using — not blanket reads.
Data you enter in the product
- Brief content — free-text fields describing what you want automated (automation request, current state, expected output). These fields may contain personal information if you choose to include it; we do not filter PII at write time.
- Resource references — when filling in a tier manifest, you may supply KeyVault secret URIs, named connection references, or other tenant-specific identifiers.
- Brief metadata — name, target system, and notes.
Data generated by the AI pipeline
- Pipeline run results (per-node status, duration, outputs)
- LLM recommendation text, rationale, anti-pattern flags, confidence scores, tier variants, and requirements manifests
- Per-run inference cost (USD), token counts, and the model used
Where Data Is Stored
All customer data is stored in the Nexus Codex Azure tenant, in the Australia East Azure region.
| Component | Detail |
|---|---|
| Database | PostgreSQL (production); SQLite (development only) |
| Encryption at rest | Azure-managed disk encryption for the database; Azure KeyVault for any customer-supplied secrets |
| Encryption in transit | TLS 1.2+ on all customer-facing endpoints (Cloudflare Tunnel + nginx); TLS 1.3 for Microsoft Graph and Azure AI Foundry calls |
| Backups | Daily Azure-side database backups, retained for 30 days |
Customer-supplied secrets are never stored in plaintext. If a secret is provided directly (rather than as a KeyVault URI), it is encrypted at rest and never written to logs.
Who Processes Your Data
Nexus Codex (first-party)
The Mission Control backend (FastAPI service), the production database, and Azure KeyVault — all running within the Nexus Codex Azure tenant — process your data directly.
Third-party sub-processors
| Sub-processor | Role | Data accessed |
|---|---|---|
| Azure AI Foundry (Microsoft) | LLM inference for the discipline pipeline | Brief content is sent to Foundry for processing. Foundry does not retain inference data beyond the request lifecycle. |
| Microsoft Graph (Microsoft) | Profile, licence, and membership reads via the consent flow | Standard auth headers; no customer data is sent to Graph. |
| Cloudflare | TLS termination and traffic routing | Cannot read encrypted payloads. |
| Microsoft 365 | Email hosting for nexuscodex.nexus | Support email handling only; not in the product data path. |
Tenant Isolation
The platform enforces strict per-tenant data isolation:
- Every database row carries a
tenant_idcolumn with a NOT NULL constraint. - All create, read, update, and delete operations require
tenant_idas a mandatory argument. - Cross-tenant reads return no results; cross-tenant writes are rejected.
- The
tenant_idis resolved from your authenticated session — never from query parameters or request bodies — preventing forgery or parameter manipulation. - Multi-tenant isolation is validated by 133+ adversarial tests on every commit.
This means Customer A can never see Customer B's briefs, profiles, runs, or manifests.
Customer Rights
As a customer account holder, you have the following rights:
| Right | How to exercise it |
|---|---|
| Access | Request a structured export of all data we hold for your tenant (briefs, profiles, runs, manifests). |
| Correct | Edit or delete individual briefs and profile records directly in the product UI. |
| Delete | Request complete tenant data deletion. All briefs, runs, manifests, and profile records will be cascade-deleted. Confirmation within 30 days; physical deletion within 60 days. |
| Object / Restrict | Opt out of optional Graph discovery scopes at any time. Opt out of Foundry inference (this degrades the product to stub-mode). |
| Portability | Receive your exported data in JSON format, suitable for re-import elsewhere. |
| Complain | Contact us directly, or lodge a complaint with the Office of the Australian Information Commissioner at oaic.gov.au. |
Data Retention
| Data type | Retention period |
|---|---|
| Briefs, runs, and manifests | Until you delete them, or until tenant account deletion (confirmation within 30 days; physical deletion within 60 days) |
| Profile cache (Graph discovery output) | Expires 7 days after last sign-in; refreshed on next sign-in |
| Inference logs and cost telemetry | 90 days for operational diagnostics; aggregated cost data may be retained longer for pricing and capacity planning |
| Audit logs | 365 days for compliance and incident investigation |
Sub-processor Changes
If we change a sub-processor — for example, switching LLM providers or moving storage to a new Azure region — we will give you 30 days' notice before the change takes effect. Notice will be sent to your registered support email address and displayed as a banner on the customer dashboard.
Notifiable Data Breaches
We commit to notifying you of any data breach affecting your data in accordance with applicable law:
- Under the Australian Privacy Act 1988 — eligible data breaches will be reported to the Office of the Australian Information Commissioner (OAIC) and to affected individuals as soon as practicable after we become aware of the breach, in accordance with the Notifiable Data Breaches (NDB) scheme.
- Under the GDPR (where applicable) — personal data breaches affecting EU/EEA end-users will be notified to the relevant supervisory authority within 72 hours of awareness where feasible, and to affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Art. 33 and Art. 34 GDPR).
Notification will include the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures we are taking to address it.
Children and Sensitive Data
The Nexus Codex Platform is not intended for processing data of individuals under 18. You must not submit briefs containing personal information of minors.
Sensitive personal data — including health records, biometric data, sexual orientation, religious affiliation, and criminal history — is out of scope for this platform. Please redact any such data before submitting briefs.
Cookies and Sessions
The platform uses two session cookies and no third-party analytics cookies:
| Cookie | Purpose | Attributes | Expiry |
|---|---|---|---|
nexus_token |
Internal admin JWT session | HttpOnly, Secure, SameSite=lax | 7 days |
themis_session |
Customer Entra authentication session (opaque UUID) | HttpOnly, Secure, SameSite=lax | 90 days |
Encrypted access and refresh tokens are stored server-side in the themis_entra_sessions database table, linked to the session UUID. Tokens never leave the backend.
Governing Law and Dispute Resolution
- Publisher jurisdiction: South Australia, Australia
- Governing law: Laws of the State of South Australia and the Commonwealth of Australia
- Dispute resolution: First, contact us directly to resolve the issue. If unresolved, you may escalate to the Australian Information Commissioner. Finally, disputes may be brought before the courts of competent jurisdiction in South Australia.
Contact
For any privacy-related questions, data subject requests, or complaints:
- Support / data subject requests: [email protected]
- Privacy escalations: [email protected]
- Postal address: Ferryden Park, SA 5010, Australia
- Office of the Australian Information Commissioner: https://www.oaic.gov.au/
Questions: [email protected] · Terms of Service →