Skip to main content

NextRequest powered by CivicPlus® Security

Your NextRequest Solution Team is protecting your data with SOC 2 Type II Security Audit


Application Security

NextRequest servers and databases are hosted on Amazon, which implements industry-leading physical, technical, and operational security measures. Amazon has received ISO 27001 certification and Federal Information Security Management Act (FISMA) Moderate Authorization. Accreditation from the U.S. General Services Administration, and is SOC-compliant. Amazon’s infrastructure is suitable to host FIPS, FedRAMP, and FERPA-compliant applications.

More on Amazon’s compliance.


Storage Security

NextRequest uses Amazon S3 to store customer image assets and documents. S3 is an industry-leading simple storage service that offers software developers a highly scalable, reliable, and low-latency data storage infrastructure. Access to resources within Amazon S3 is controlled through Access Control Lists (ACLs) and query string authentication.

More on Amazon Web Services compliance and security.



Your data is backed up daily, weekly, and monthly to ensure your data remains secure and protected.


Data Center Security

Physical access is controlled at building ingress points by professional security staff utilizing surveillance, detection systems, and other electronic means. Authorized staff utilize multi-factor authentication mechanisms to access data centers. Entrances to server rooms are secured with devices that sound alarms to initiate an incident response if the door is forced or held open.



Our platform maintains redundancy to prevent single points of failure, is able to replace failed components, and utilizes multiple data centers designed for resiliency. In the case of an outage, the platform is deployed across multiple data centers using current system images and data is restored from backups.


Disaster Recovery Plan

We have a step-by-step plan in place to take precautions and minimize the effects of a disaster. This enables us to provide consistent operations and quickly resume mission-critical functions.


SOC 2 Type II Audit

NextRequest has successfully completed a SOC 2 Type II audit. This third-party audit evaluates our internal controls, policies, and procedures and reports on controls that directly relate to our services’ security, availability, processing integrity, confidentiality, and privacy.


The NextRequest application uses AES-256 encryption and encrypts all documents at rest. These documents can only be accessed through a valid token which expires. Additionally, all data is encrypted at rest and in transit.


The NextRequest codebase is built on the latest version of Ruby and Ruby on Rails, one of the most common and well-documented modern web development languages and frameworks. Ruby and Ruby on Rails provide robust internal tools to mitigate common attack patterns such as SQL injection and cross-site scripting (XSS). NextRequest follows regular updates for security vulnerabilities and updates the codebase as appropriate.

NextRequest employs Github (owned by Microsoft) to securely manage all code comprising the production platform. Github/Microsoft provides collaboration, distributed revision control, and source code management functions. NextRequest uses an agile development process with frequent, incremental testing and changes rather than large-scale, infrequent releases.

NextRequest uses GitHub/Microsoft and makes changes to its repositories via GitHub Pull Requests (PRs). All code is tested in a development environment before deployment to the production platform. Code changes are peer-reviewed and approved. Logs of changes are stored in Github /Microsoft, with the ability to revert to prior versions easily.


All web requests between web clients and NextRequest are secured by TLS (Transport Layer Security) version 1.2. TLS is an industry standard used by millions of websites to secure web transactions.


NextRequest contains several layers of monitoring at the application level. NextRequest uses two services for monitoring performance and error tracking. Errors are logged within the application, and NextRequest administrators are immediately notified when errors do occur. Standard application logs are collected daily and weekly. Individual user access is logged within the application and kept in application logs.

System status reports are available 24/7 here.

Auditing and Scanning

Our codebase and all dependencies are scanned for vulnerabilities every time we make changes. Additionally, we perform weekly automated vulnerability scans of every part of our application, which includes checks for SQL injection, XSS, and other common attack vectors. Logs are secured and archived for one year.

PCI Payment Processing

All payments are processed through Stripe, a PCI Level 1 Service Provider. NextRequest does NOT store customer credit card information on our servers.

Data Deletion/Destruction

At a customer’s request, we will expunge all customer data from NextRequest servers.

Confidentiality Agreements

All employee contracts include a confidentiality agreement.

Background Checks

All NextRequest employees undergo comprehensive background checks.

Real-Time Security Updates

NextRequest’s architecture allows security updates to be made to all customers in real time, preventing delays in patching security vulnerabilities.