Encryption everywhere, least-privilege access by EU-based staff, and controls built and audited against the frameworks your auditors already know. This page is the short version — the long version is open to your security team under NDA.
TLS 1.3 across every endpoint and internal hop. AES-256 at rest for storage, databases, and backups. Region-resident keys with strict, audited access — customer-managed keys available on dedicated plans.
Least-privilege by default. Administrative access is limited to EU-based personnel, gated by SSO and MFA, time-bound, and fully logged. We resist unlawful third-country access requests.
Your data — prompts, files, inference, memory, backups — stays in the EU region you choose. Sub-processors are EU-based and contractually bound to the same standard.
Multi-AZ within region, encrypted point-in-time backups, and opt-in cross-region disaster recovery. Tested restores, not just stored copies.
We don't hide behind logos. Here's exactly where each framework stands — and reports are available to customers on request.
Status reflects program maturity for this prototype. Current attestations, audit reports, and certificates are shared with customers under NDA.
The questions security teams actually send us, answered up front.
All traffic uses TLS 1.3, including internal service-to-service hops. Data at rest is encrypted with AES-256 across object storage, databases, and backups.
Keys are region-resident and access to them is logged and reviewed. On dedicated plans you can bring or hold your own keys, keeping the cryptographic boundary under your control.
Customer access supports SSO (SAML/OIDC), enforced MFA, and role-based permissions. Administrative access by our staff is least-privilege, time-bound, EU-based, and fully audited.
Every privileged action is recorded in tamper-evident logs you can export to your own SIEM.
Compute, storage, inference, memory, and backups stay in your chosen EU region. We don't move data between regions without your instruction.
The full sub-processor list — by category and EU location — lives on the Data Residency page, and a current named list is available under NDA.
We run a documented incident-response process with defined severities and on-call ownership. Confirmed personal-data breaches are notified in line with GDPR's 72-hour requirement.
Operational incidents are posted to our Status page with timelines and post-incident reviews.
Your content is never used to train foundation models. Long-term agent memory is scoped to your organisation and never pooled across customers.
Significant decisions keep a human in the loop, with a route to contest automated outcomes — in line with GDPR Article 22 and our EU AI Act readiness work.
We welcome reports from security researchers and won't pursue good-faith research that respects user privacy and avoids service disruption. Email our security team with steps to reproduce; we acknowledge within two business days and keep you posted through to a fix.
Security contact: security@nordicintelligencelabs.com · PGP key available on request.
Want the long version — architecture diagrams, audit reports, and the named sub-processor list? We'll share it under NDA.