Niserva
Log inStart free trial
Back to home
Updated 2026-05-06

Security

Technical and organisational measures we take to protect your data.

Niserva is a NIS2 compliance platform — security is the foundation of the product. This page describes the concrete technical and organizational measures we apply to protect your data.

1. Encryption

In transit

All traffic between your browser and Niserva uses TLS 1.3 with modern cipher suites. HSTS is enabled — browsers refuse to connect to niserva.com over plain HTTP.

At rest

The database and file storage (Supabase Postgres + Storage) are encrypted at rest using AES-256 at the disk layer. Backups are encrypted as well.

Passwords

Passwords are never stored in plaintext — we use bcrypt with rotation via Supabase Auth. Even we cannot read them.

2. Multi-tenant isolation

Each Niserva organization (customer) is isolated through Postgres Row-Level Security (RLS) policies. This means that even with a valid API key you cannot read, create or modify another organization's rows — isolation is enforced at the database layer, not just in the application.

3. Authentication and access

  • Email verification is required at signup.
  • MFA (TOTP) is supported for all users and required for super administrators.
  • Password policy: minimum 8 characters, checked against the Have I Been Pwned (HIBP) breach list — known leaked passwords are rejected.
  • Sessions: short-lived JWT access token + refresh token via sb-refresh-token; sessions expire after 7 days of inactivity.

4. Audit log

Every INSERT, UPDATE and DELETE in Niserva's compliance tables (risks, vendors, incidents, policies, training, evidence, controls and assessments) is automatically captured by a Postgres trigger with the actor (user_id), timestamp, and before/after content. Log records are append-only — even administrators cannot delete or edit them.

5. Storage and backups

  • Primary database hosted in Frankfurt (eu-west-1).
  • Daily automated DB backup, retained for 30 days.
  • Files (evidence documents) live in Supabase Storage; access is only through short-lived signed URLs.

6. Sub-processor security

All our processors hold recognized security certifications:

  • Supabase — SOC 2 Type II, ISO 27001.
  • Vercel — SOC 2 Type II, ISO 27001.
  • Anthropic — SOC 2 Type II.
  • Resend — SOC 2 Type II.
  • Stripe — PCI DSS Level 1, SOC 1 / SOC 2.

7. Incident response

We maintain an internal Incident Response Plan (IRP). If a security incident affects customer data, we notify customers within 48 hours (matching our DPA commitment) and follow NIS2 Article 23 — significant incidents are notified to the supervisory authority within 24 hours (early warning) and 72 hours (incident notification).

8. Responsible disclosure

We invite security researchers to report findings to info@nexdev.lt. We respond within 72 hours. If the finding is confirmed we will coordinate disclosure timing and, where possible, credit the researcher in our security acknowledgements. Please do not publish a vulnerability before it is fixed.

9. Compliance and certifications

  • NIS2 self-assessment — completed, documents available on request.
  • ISO 27001 — in progress (target 2027).
  • SOC 2 Type II — target 2027.
  • TISAX — target 2027 for automotive customers.

10. Contact

For security matters (incident reports, security questionnaires, audit reports) reach us at info@nexdev.lt.