We take the security and availability of your data seriously.

We maintain geographically diverse datacenters, running secured operating systems, and multiple layers of security. Your company’s data is safe with Nutshell.

SSL/TLS encryption

We use bank-grade SSL/TLS encryption whenever you access your Nutshell account.

One-way encrypted passwords

Passwords are encrypted one-way and cannot be recovered by Nutshell staff.

Availability tracking

We maintain status.nutshell.com with reporting data from third-parties to track Nutshell availability.

Network security

Our engineering team has experience managing petabytes of data securely and durably. We take the following steps to keep your data secure at rest and as it transits our networks.

  • Private datacenters with industry-standard physical security policies & locked server cages
  • 24×7 onsite datacenter staff to perform critical repairs
  • Firewalls, modern Linux operating systems, and conservative network configuration
  • VPNs to secure employee access and encrypt all data that transits Internet links
  • User passwords are salted and one-way encrypted. Nutshell staff cannot recover your password
  • Login pages are protected against brute-force attacks
  • We follow industry security lists and promptly patch critical issues
  • We use a multi-tenant data storage architecture. Customer data is stored in discrete silos per account, to isolate and protect your data

Uptime and durability

In addition to security, it’s critical to be able to access your data at all times. We do the following to keep Nutshell accessible at all times.

  • Multiple third-party monitoring services track Nutshell’s availability across the planet
  • On-call engineers are automatically paged for any customer-facing outage
  • RAID-10 redundant hard drive systems for all production databases, providing for hot swaps when drives fail
  • Hot-spare database servers in case of entire system failure
  • Realtime geographically-diverse replication of data
  • Twice-daily, weekly and monthly snapshots of all customer data for backup and recovery
  • status.nutshell.com hosted externally with uptime metrics provided by a third party and updates from our network team
  • One-click data zip export tool, to save all Nutshell data for legal compliance or portability

Operational security

Our support team is based in-house with our Ann Arbor engineering team. We will only access your account with your permission to troubleshoot support issues. Staff will never ask for your Nutshell password.

  • All staff computers run with full-disk encryption and strong passwords
  • We don’t expose our internal network to Windows
  • Every Nutshell employee receives a copy of 1Password on their first day
  • Offices are protected with individual keycard access

Financial security

Your credit card and billing information is stored securely. Our billing systems are PCI-compliant and managed separately from Nutshell application systems.


Nutshell uses one-way encryption to securely store a representation of your password. We cannot retrieve a password — you must use our forgotten password tool in conjunction with your email address to recover your password. It is your responsibility to keep your Nutshell email address up-to-date.

It is your responsibility to choose secure passwords and to keep them safe. Nutshell cannot be responsible for data that is compromised due to an insecure or stolen user password. If you are authenticating with Nutshell via a third-party (e.g., Google Apps), those passwords must also be secured.

Responsible disclosure

If you are a security researcher or you believe that you have encountered a problem in Nutshell’s security, please review the following notes.

Please report any security concerns to security@nutshell.com. If you believe that you need to send an encrypted message, please email first for our public key.

We ask that you give us a reasonable amount of time to respond to reports before making information public.

Please do not conduct any security research that could result in the destruction of data, interruption or degradation of service. This includes the use of automated tools or scanners: they are likely to cause your IP address to be banned.

We don’t currently accept responsible disclosure reports around the following issues:

  • Iframe / UI redress issues related to X-Frame-Options headers
  • HSTS implementation
  • User-provided password strength


Nutshell would like to thank the following organizations and individuals for responsibly disclosing security vulnerabilities. We greatly appreciate all contributions that help strengthen and improve Nutshell’s security, and allow us to provide a better experience for our customers.