Start with Normiq
/ Security & Trust

How we protect your compliance data

Built to NIS2 Article 21 and ISO 27001 standards so any customer — covered by NIS2, GDPR, or neither — can use Normiq without it creating a compliance problem on their side. This page is the short version of our vendor-assessment posture.

Where your data lives

Every byte of customer data sits in European jurisdiction, on European-headquartered infrastructure. No customer data is processed or stored by US-headquartered cloud providers — not even in their "EU regions," because of the US CLOUD Act and FISA 702.

  • Application hosting: Hetzner Online GmbH — Falkenstein / Helsinki
  • Production database: UpCloud Ltd Managed PostgreSQL — Finland
  • Object storage: Hetzner — Germany / Finland
  • Identity provider: Zitadel Cloud — Switzerland (EU adequacy decision)
  • AI inference: Mistral AI SAS — France
  • Email delivery: Brevo / Sendinblue SA — France
  • Analytics: Plausible Insights OÜ — Estonia (cookieless, no PII)
  • Website CDN: BunnyCDN — Slovenia, EU-only edge nodes configured

Data in transit and at rest

  • TLS 1.2 minimum, TLS 1.3 preferred. HTTP traffic is redirected to HTTPS at the load balancer.
  • Database encryption at rest is enabled (UpCloud Managed PostgreSQL provides this natively).
  • Evidence files in object storage are encrypted at rest and bound to the uploading organisation by storage path.
  • Passwords are hashed by Zitadel using Argon2id (we never see customer passwords; OAuth flows handle it end-to-end).

Authentication and access

  • OIDC / OAuth 2.0 via Zitadel. Standard JWTs validated by both the web app and the API.
  • Multi-factor authentication available for end users (TOTP, WebAuthn / passkeys). Organisation admins can enforce MFA for all members.
  • Short-lived access tokens (15 min) with secure refresh.
  • Re-authentication required for sensitive actions: changing email or password, modifying MFA, deleting an account, modifying billing, generating API keys, changing organisation roles.
  • OAuth providers: Google and Microsoft only. No SMS-based MFA — it's vulnerable to SIM-swapping.
  • Rate limiting on every API endpoint. Failed auth attempts are logged with IP and timestamp and retained for at least 90 days.

AI processing safety

  • Customer text is scrubbed of PII (names, emails, phone numbers, addresses) before any of it reaches an AI model. The originals stay in our database; only the scrubbed copies cross the API boundary.
  • Mistral does not train on data we submit (contractual under the DPA).
  • Every AI output is a draft. No automated decisions with legal effect under Article 22 GDPR.
  • All AI runs are logged with metadata (model, tokens, verifier confidence, expert-review flag) — never with raw prompts containing PII.

Logging and incident response

  • Every material action is logged: authentication events, permission denials, data exports, deletions, billing events, AI classifications and acceptances.
  • Logs are structured JSON. No PII in log bodies.
  • Security log retention: minimum 90 days.
  • We notify affected customers within 72 hours of a confirmed personal-data breach, aligning with GDPR Article 33 and NIS2 incident reporting.

Vulnerability management

  • Public vulnerability disclosure: email security@normiq.eu. We aim to acknowledge reports within 48 hours.
  • Dependency vulnerability scanning runs in CI (pnpm audit, pip-audit). Critical vulnerabilities block deployment.
  • Dependabot is the only automated bot permitted to open PRs. Auto-merge is disabled.
  • Security review on every release and at major version milestones.

Business continuity

  • Automated daily backups with 30-day retention.
  • Backup restoration is tested quarterly.
  • Recovery Time Objective (RTO): 4 hours for the application, 2 hours for the database.
  • Recovery Point Objective (RPO): 24 hours (daily backups).

Privacy by design

  • Self-serve GDPR Article 15 / 20 data export (personal data + JSON Schema + README).
  • Self-serve EU Data Act Article 4 export (all organisation data, machine-readable).
  • Self-serve GDPR Article 17 erasure: immediate anonymisation, hard delete within 30 days.
  • 30-day soft-delete recovery window for AI systems and evidence files.
  • No customer PII in third-party analytics, error trackers, or marketing tools.

What we do not have (yet)

Being honest about the maturity stage:

  • ISO 27001 certification: not yet. We build to ISO 27001 Annex A standards but the formal certification is on the roadmap for 2027.
  • SOC 2 Type II: not on the roadmap. SOC 2 is a US framework. ISO 27001 is the EU equivalent and the more relevant credential for our customers.
  • Public uptime SLA: not on the current plans. We monitor uptime internally but do not yet commit to a contractual SLA.

Vendor assessments and DPAs

We can sign a Data Processing Agreement (DPA) with any customer who requests one. Email privacy@normiq.eu with your standard DPA or request ours. The full list of our own sub-processors is in the Privacy Policy.

Report a security issue

If you believe you've found a vulnerability in Normiq, please email security@normiq.eu. We do not currently run a bug bounty programme, but we will publicly credit reporters in this page's changelog (with permission) and our gratitude is real.

Please give us a reasonable window — at least 14 days — to investigate and patch before disclosing publicly. We commit to responding to all reports.