Security

Like any other company, Nimble has a lot of sensitive information that need to protect: internal records, credentials, client data, etc.

As an engineering-focused company, Nimble has to go beyond conventional and often low-level security practices.

This guide details the security measures that the team puts in place to safeguard any sensitive and critical piece of information that comes into their hands.

General Practices

Account & Identity Security

• Use 1Password to generate and store credentials securely.
• Use strong, unique passwords for each service or system.
• Favor random passphrases over random characters — 1Password can generate passphrases.
• Enable Multi-Factor Authentication (MFA) wherever possible.
• Avoid sharing accounts; use named user accounts with proper permissions.
• Log out or lock your workstation when leaving your desk.

Introduction to and usage of 1Password

Device & Endpoint Security

• Keep operating systems and software up to date with the latest security patches.
• Use full disk encryption on laptops and mobile devices
  • Use FileVault on macOS — enabled by default with Apple silicon.
  • Use Device Encryption on Windows
• Only install approved or verified applications from trusted sources — i.e. App Store, Play Store, Microsoft Store, or official releases from a known publisher.

Network & Access Controls

• Connect through VPN when accessing company resources remotely — see how in our internal resources.
• Never share Nimble’s main wifi password with anyone not working at Nimble — only share the guest wifi access when needed.
• Limit administrative access to only those who need it (principle of least privilege).
• Use firewalls and access control lists (ACLs) to restrict network traffic.
• Monitor network activity for unusual behavior or unauthorized access.

Data Protection & Confidentiality

• Always use tools that encrypt data when it is stored (at rest) and when it is being sent or received (in transit):
  • When browsing websites, make sure the address begins with https://, which indicates a secure connection.
  • For communication, document sharing, and other work tools, use those officially recommended by Nimble (e.g., Slack, Google Workspace). If a client asks to use a different tool, only agree if that tool clearly states it protects data both when stored and during transmission.
• Limit access to data based on roles and responsibilities — avoid public and granular individual access.
• Back up critical data regularly and ensure there is a restore procedure in place that is well tested.
• Be cautious with USB devices — never plug unknown devices.
• Use secure file-sharing methods (like 1Password) instead of email for confidential files.

Email & Communication Safety

• Watch out for phishing emails — ALWAYS verify the sender address for critical request emails.
• Report suspicious emails to the administrator using the built-in report feature from Gmail — especially if the email was not marked as spam.
• Do NOT click unknown links or download attachments from unverified sources.
• Do NOT send sensitive information unencrypted over email or chat.

Code Version Control

For every product that the team works on, be it an internal project or a client project, they always use code version control.

The Version Control Systems (VCS for short), like many other tools, require authentication before anything can be accessed or changed.

Authentication must happen every time a developer updates the code on the VCS and every time an automated build/deployment is triggered.

For authentication, the team relies on SSH keys, which are far more secure than a standard username-password pair. SSH keys are long and complex, far more than any password could be. Unlike passwords, SSH keys aren’t transferred to the remote system, which removes all risks of interception too.

For an additional level of security, the SSH keys are unique to each developer and to each service that requires access to the code repository (for automatic deployment, for instance).