With a wide client base ranging from government departments and councils to not-for-profits and the private sector, our customers can all rest assured their data is kept secure at all times.

Infrastructure.
Nimblex uses Microsoft Azure for cloud hosting. Azure is a leader in secure scalable computing infrastructure.
Azure meets stringent security requirements, including physical controls at the datacentres, data privacy guarantees and robust controls.
MS Azure has extensively published their security practices and certifications, and hosts over 50 security certifications both conforming to International Standards as well as country specific specifications.

Notable Azure Certifications
ISO 27001:2013 Information Security Management Standards ISO 27017:2015 Code of Practise for Information Security Controls ISO 9001:2015 Quality Management System Standards IRAP: Australian Governments Information Security Registered Assessor Program New Zealand CC Framework US FIPS 140-2
Data Protection.
- Data Encryption
- Data in Transit
- Data at Rest
Due to the business-sensitive data hosted on Nimblex servers on behalf of clients, we understand how important it is to ensure that all data is appropriately secured.
- A symmetric encryption key is used to encrypt data as it is written to storage. This uses AES256 security to ensure its integrity.
- That key is used to decrypt that data in memory for use.
- Keys are stored in an Encrypted Azure Managed Key Vault.
All data is transferred between Nimblex servers and user devices using up to 256-bit encryption via TLS1.2 and a class leading certificate provider. All data is transferred using HTTPS.
All data stored in our Azure data centres is encrypted at rest to safeguard our clients’ data. Data is encrypted using a symmetric encryption method and keys are stored in an encryption key vault in Azure to limit access. Azure Activity Directory is used to provide only limited access to keys to specific services and users.
- A symmetric encryption key is used to encrypt data as it is written to storage. This uses AES256 security to ensure its integrity.
- That key is used to decrypt that data in memory for use.
- Keys are stored in an Encrypted Azure Managed Key Vault.
Download: Data Encryption:
A Weapon for Cybersecurity.


Disaster Recovery.
All data is stored utilising Azure’s Geo-redundant Storage (GRS) model to enable swift switching of data centres if the primary tenancy becomes unavailable.
When stored in GRS, data is synchronously copied to three physical locations in the primary region using LRS.
It then copies the data asynchronously to a single physical location in a secondary region providing a durability for data storage of 99.9999999999999999% over a year.
All customer data and system designs are backed up on a regular basis. The following schedule is adhered to in regard to backups to ensure your data is accessible when needed.
Content Controls.
The following outlines the application level controls put in place to manage users and data within the Nimblex application.
User Authentication
Administrators have the ability to enforce password complexity, length, age and whether previous passwords can be used. Administrators can also force a reset of user passwords when required.
Passwords are never transmitted in plain text. Nimblex only stores a salted one-way hash of the password and not the actual password itself. When logged in, users are authenticated and re-verified with each transaction via a secure token created at login.
Read more: How Do Passwords Work?
Utilising an Authentication Gateway for Single Sign On
Nimblex supports SAML 2.0 compliant gateways for Single Sign On, allowing administrators to centrally manage the security complexity, and authentication requests from an organisational gateway.
Gateways such as Azure AD and GSuite have been used successfully by organisations in the past to authenticate users. No passwords are sent to Nimblex when users login via this method.
Lockout
Administrators have the ability to define how the system handles incorrect attempts to login to the system. There are two methods available for managing user lockouts.
Fixed Number of Failures – This restricts the user to only a certain number of login attempts before they will be locked from the system. To be unlocked they will need administrator intervention.
Exponential Lockout – Allows a user to attempt to login a set number of times, before being locked out for a set amount of time. They can then try again to log in once this time has expired. In this scenario, no administrator intervention is required.
Further System Controls.
To further allow organisations to tailor their security experience within Nimblex, we offer a range of security controls that can be implemented individually or in batches depending on business requirements.
Nimblex utilises a role-based permissions system that can be centrally managed by the administrators from the control panel. Due to the flexible nature of the system, it is possible that custom groups may be created to allow for client-specific business rules and permissions.
Read Only Controls
At system design you can specify for specific fields to be Read Only always, or when certain conditions are met. This will prevent data stored in a field from being altered/modified or deleted by any user not adhering to a set of logic.
Control Visibility Rules
During the system design stage, you can specify certain data to only appear on screen for specific roles or logic requirements. For example, you may have a block of data only visible on screen to a set of administrators.
Record Level Filtering
This allows you to specify who has access to record level data. At system design this is where access to read and write to specific records is generated and controlled. This will allow you to apply further logic than just role-based permissions.
Function Security
Function security allows you to define role-based permissions to use specific system-wide functions within the system. Functions such as Access to a Web API, Ability to Export records, the System Scheduler, System Designer, etc. can be controlled via function security.
IP Lockout
You can use this to restrict access to your instance to a specific list of IP addresses, which may be a useful security feature for organisations wishing to only allow access from organisational premises. This is done at an application level.
Component Access Control Lists
Component Access Control Lists allow defining access permissions at the very lowest level.
On a per-column and per-folder basis you can specify read and write access for users.
Manage Temporary Replacements
For when employees go on leave, we have a function to manage workloads on a temporary basis. This allows you to assign a user access to another user’s profile temporarily. This prevents passwords being shared internally, as well as keeping any decisions made whilst in this role auditable.
Audit Report
The audit report captures various actions across the system.
This report captures metadata such as user login information, switching into other roles, as well as data saved into the system.
Operations
Administrative access to Nimblex hosted systems is controlled. Only authorised members of the Nimblex team have access to the Azure Portal and Remote Desktop Capabilities. Nimblex Support staff will get application level access to implement change requests at a client’s request.
Internal Controls
Nimblex performs periodic risk reviews for both internal and external systems to ensure that we are aware of the risks and have a mitigation plan in place to mitigate the risk. Security procedures, information and training is shared openly among Nimblex staff with a continuous improvement mindset.
Data Ownership
All data is owned by the client and no claim of ownership is made by Nimblex over any records or documents created within Nimblex.
We also respect your privacy and will never make client records visible without permission.
Internal Reviews
Security Reviews are performed at multiple times during the development process. This includes code reviews and architectural reviews. All code reviews have a focus on the security of data and may include things such as authentication, authorisation, and secrecy.
At an application level, security-related configurations are always reviewed by a second Nimblex employee.
External Reviews.
Nimblex engages a third party to perform penetration testing on an annual basis. These firms are specialist application security firms who analyse Nimblex and its hosting for vulnerabilities. To test for these, they use industry-based automated tools and extensive manual testing.
All data is hosted within Australia.
All data is hosted within Australia, regardless of which option you select.
However, if your company is based in another country, we can also arrange for a data centre in your own country.
Nimblex offers multiple environments on the same server. Usually we recommend Prod, DEV and UAT, but this can be changed as per the client’s policy.


Enhance standardisation and increase profit margins.
Increase profits with smart solutions
The objective of any business improvement process is to become more profitable by working smarter. This is exactly what our Nimblex clients experience.
Quickly implement new ideas
Bright ideas from staff can be easily implemented through a change request, or even implemented by the client themselves thanks to Nimblex’s easy to use ‘drag and drop’ configuration capability.
Other Options.

Integrate with Existing Systems
Nimblex has successfully integrated with many systems, from large ERPs to smaller applications.
