Web and worker communicate only through Postgres, Redis, and SQS — no direct HTTP. The execution engine is a portable TypeScript package with zero cloud dependencies.
Each customer gets isolated Aurora, Redis, and SQS. No noisy neighbors. No shared blast radius. Multi-tenant available on request, with strict per-row policies.
Web writes to Postgres and SQS. Worker reads from SQS and writes to Postgres. Redis pub/sub broadcasts state changes. Failures are localized; retries are durable.
@nexus/engine is a pure TypeScript package — no AWS imports. Run it on Lambda, on Kubernetes, on bare metal. The cloud-specific bits live in adapters.
SSO across the board. Short-lived JWTs. Per-tenant identity pools. SCIM provisioning for enterprise plans.
Workspace, workflow, and node-level permissions. Approval-required tools. Time-bound elevation. Every state change audited.
Customer-managed keys optional. mTLS for in-house MCP servers. Secrets in AWS Secrets Manager with automated rotation.
Every workflow run, every approval, every config change — appended to an immutable log. SIEM-ready exports.
Annual audits. Data residency in 6 regions. BAAs and DPAs available with the enterprise plan.
Traces, metrics, logs — emitted as OpenTelemetry. Drop into Datadog, Honeycomb, Grafana, or your own collector.
30 minutes with our engineering team. We walk through the stack, show you a live worker, and answer security/compliance questions.