You trust us with the very information that describes your security posture. This page documents, in full transparency, how we protect that data — and what is still on our roadmap. No marketing promises, no compliance logos we have not earned. NIS2YOU is in early access: we are building our security alongside our customers building theirs.

• Hosted by Hetzner Online GmbH, datacenters in Germany (Falkenstein / Nuremberg). Hetzner is ISO 27001-certified at the infrastructure level.
• Your data stays within the European Union. No transfer to third countries in the normal operation of the Service.
• Technical processors (hosting, transactional email) selected on the basis of GDPR conformity and bound by an article 28 data-processing agreement.

• In transit: TLS 1.2+ enforced for all client-server traffic. HTTPS redirect forced. HSTS enabled.
• At rest: encryption at our hosting provider's storage layer.
• Passwords: bcrypt hashing with a unique per-user salt. No clear-text password is ever stored or logged.
• Application secrets: environment variables isolated per tenant, never committed to the repository.

• Two-factor authentication (2FA / TOTP) available for every user (Google Authenticator, Authy, 1Password, etc.).
• Recovery codes encrypted and single-use, in case the second factor is lost.
• Strict multi-tenant isolation: every business table carries a tenant_id and a global scope applies it to every query automatically. Test coverage in our Pest suite TenantIsolationTest.
• Roles and permissions: 5 levels (Owner, Admin, Risk Manager, Contributor, Auditor) with a detailed matrix. The Auditor role lets you invite your external auditor in read-only.
• SSO / SAML: on demand, in the upcoming Enterprise plan.

• Automated daily snapshots of the infrastructure (Hetzner Cloud Snapshots), retained according to our retention policy.
• While in early access, recovery time and continuity strategy are best-effort commitments, not a contractual SLA.
• Numerical recovery objectives (RPO/RTO) and a contractual availability SLA will be offered in the Enterprise plan, together with a multi-DC replication strategy.

• Every change to business entities (risks, controls, action plans, incidents, reviews, assets, users) is tracked: who, when, old value, new value.
• Visible to users on the Audit log page. Accessible to the Admin, Risk Manager and Auditor roles.
• Retained for the lifetime of the tenant to meet NIS2 / ISO 27001 traceability requirements.

• Your data is yours. PDF and CSV/Excel exports available at any time from the application; public API is in development.
• Account deletion: on request to dpo@nis2you.com, we process your erasure request and confirm the deletion by email. You can export your register before the final deletion.
• Soft-deletes on critical business entities to preserve the audit history.

• Codebase versioned on GitHub with mandatory code review before merging.
• Continuous integration pipeline: Pest test suite runs on every push; any regression blocks deployment.
• Dependency security updates tracked automatically (Dependabot).
• No credentials in source code. Environment variables encrypted at rest.

We believe in transparency. Here is what we do not have yet:

• ISO 27001 certification (internal preparation under way — the tool we sell helps us prepare for it too).
• SOC 2 Type II audit (planned for 2027 depending on commercial traction).
• External penetration test programme — to be planned based on commercial traction and customer requests.
• Public responsible disclosure programme (bug bounty).
• Contractual availability SLA with multi-DC replication strategy (will be attached to the Enterprise plan).

• Vulnerability, security incident or GDPR question: dpo@nis2you.com
• GDPR Data Processing Agreement (DPA): available on request from dpo@nis2you.com

We take vulnerability reports seriously and commit to acknowledging them within 72 business hours.

📄 May 2026 (v1.0) — Latest · Download PDF