ΖΩΝΤΑΝΑ · ΑΛΥΣΙΔΑ ΕΛΕΓΧΟΥ · ΕΕ
ΣΥΣΤΗΜΑ · 99,99% ΔΙΑΘΕΣΙΜΟΤΗΤΑ
v 1.0 ↗ ΦΤΙΑΓΜΕΝΟ ΣΤΗΝ ΕΕ
Security & compliance

Your data, your evidence, secured.

Nexbasira was designed from day one around the strictest European standards: eIDAS for legal weight, GDPR for data protection, ISO 27001 for operational security.

eIDAS
Qualified signature
RGPD
GDPR Compliant
ISO 27001
Certified 2026
HDS
Health-grade hosting

End-to-end architecture.

5 layers of security, from technician's smartphone to 7-year legal archive.

Capture
TLS 1.3
EU Cloud
AES-256
eIDAS
QES
Archive
7 ans
Blockchain
SHA-256

Standards & certifications.

Qualified electronic signature
Règlement UE 910/2014 · QES Level
✓ Compliant

Nexbasira uses Qualified Electronic Signature (QES) as defined by the EU eIDAS regulation. The highest level of electronic signature recognized in Europe, legally equivalent to a handwritten signature.

Legally enforceable
Accepted by courts in all 27 EU member states.
Verified identity
Video KYC + ID check before signing.
RFC 3161 timestamp
Qualified timestamp via trust authority.
Qualified Trust Service Provider
QTSP partner listed by ANSSI.
Personal data protection
Règlement UE 2016/679 · DPO certifié
✓ Compliant

Nexbasira is GDPR-native: data protection is built into the product, not bolted on after. Our DPO (Data Protection Officer) is AFNOR-certified.

EU data only
100% hosted in France & Germany. No transfers outside EU.
Right to erasure
Full erasure on request, within 30 days max.
Data portability
Export all data in JSON/PDF at any time.
DPA / Subprocessing
Data Processing Agreement signed with every enterprise client.
Information security management
Certifié 2026 · Audit annuel
✓ Certified

Nexbasira is ISO 27001 certified since 2026. Our ISMS covers the entire product scope, infrastructure, HR and business processes. Annual external audit.

End-to-end encryption
TLS 1.3 in transit, AES-256 at rest.
Strict access control
SSO, mandatory MFA, least-privilege principle.
Quarterly pentests
External penetration tests 4×/year + bug bounty.
Tested BCP / DRP
Business continuity plan tested 2×/year. RTO < 4h, RPO < 15min.
Health Data Hosting
Disponible sur demande · Plan Enterprise
Option

For clients in the medical sector or handling sensitive data, Nexbasira offers HDS hosting via OVHcloud, certified by the French Ministry of Health. Available on Enterprise plan.

Audits & attestations.

All our audit reports are available on request for enterprise clients (under NDA).

Audit / Certification
Auditor
Last update
Status
ISO 27001:2022
Bureau Veritas
Mar 2026
✓ ACTIVE
SOC 2 Type II
Mazars
Feb 2026
✓ ACTIVE
RGPD Audit
CNIL Compliance
Jan 2026
✓ ACTIVE
Pentest external
Synacktiv
Apr 2026
✓ PASSED
eIDAS QTSP
ANSSI listing
2025
✓ ACTIVE
Technical specs

For your security team.

Concrete answers to the usual checklist. Each line is in code, on this commit — not a marketing wishlist.

🇪🇺

Data residency

Primary region eu-central-1 (Frankfurt) + eu-west-3 (Paris)
Schrems II No US control plane. No US sub-processor on the audit chain or evidence storage.
Storage Encrypted S3 with org-prefixed keys. Lifecycle to cold archive at 90 days for eIDAS retention.
Self-host Available on Enterprise plan. Docker + Caddy stack documented.
🔐

Cryptography

Audit chain SHA-256 over canonical JSON envelopes. Previous-link reference per event. Per-session Postgres advisory lock.
Timestamping 3 independent TSAs — Tezos (YodaLedger), RFC 3161 (FreeTSA), OpenTimestamps (Bitcoin). Anchored at session-end + on-demand.
Webhook signing HMAC-SHA256 in t=...,v1=... format. 5-min clock-skew tolerance. Fernet-encrypted secret at rest.
API credentials SHA-256 + SECRET_KEY pepper at rest. Constant-time verify. Soft-revoke preserves the audit trail.
Field tokens Single-use JWT HS256, IP/UA-pinned, time-boxed, scoped to one session + one participant.
PAdES signing Detached PKCS#7/CMS in PDF signature dict. RFC 3161 timestamp over signature value. Subfilter ETSI.CAdES.detached.
🛡

Access controls

Tenant isolation Postgres Row-Level Security on every multi-tenant table. app.current_org as session-level GUC enforced by middleware on every request.
RBAC 4 system roles per org (org_admin / inspector / observer / auditor) + custom roles. Slug-checked at view layer + cross-checked by RLS.
MFA TOTP. Per-org policy: MFA required for org_admin role if enabled.
SSO OIDC + SAML 2.0. JIT provisioning gated by email-domain allowlist + default role.
SCIM SCIM 2.0 endpoint with per-org bearer token. Standard /Users + /Groups resources.
⚙️

Operational security

CI gate ruff strict gate (backend) + eslint strict (frontend) + Playwright E2E + pytest + vitest. Single warning fails the build.
SBOMs CycloneDX SBOMs published per build (backend + 3 frontend projects + 3 SDK packages).
Dependency scanning pip-audit on requirements.txt + npm audit on every package on every CI run.
Reproducible builds Docker images pinned by digest. requirements.txt + package-lock.json committed.
Logging Structured JSON logs. No raw PII in logs. 30-day hot retention, 1-year cold.
Responsible disclosure

Found something?

We appreciate it. Here are the commitments we make in return, and the secure channel to reach us.

01

Acknowledgement within 2 business days

Human reply, not an autoresponder. You know we've read it.

02

Triage and CVE within 5 days

Severity classification, internal ID assignment, remediation queued.

03

Critical fixes within 7 days

For critical vulnerabilities post-triage. Advisories follow CVE conventions.

04

Public credit & bounty

Public hall of fame if you wish. Monetary rewards by severity.

Secure email
security@nexbasira.com
PGP key — fingerprint
A1B2 C3D4 E5F6 0708 1920 · 3132 3435 3637 3839 4041
Public key
/.well-known/pgp.asc
Full policy
/.well-known/security.txt

Please don't disclose publicly until we've shipped a fix. We keep you posted at every step.

Need the security questionnaire?

CAIQ, VSA, SIG, or your own format — we respond within 5 business days and ship the artifacts (SBOM, pentest reports, attestations).

Request questionnaire → See Privacy & GDPR