Security · NexBasira

eIDAS

Qualified signature

RGPD

GDPR Compliant

ISO 27001

Certified 2026

HDS

Health-grade hosting

End-to-end architecture.

5 layers of security, from technician's smartphone to 7-year legal archive.

Capture

TLS 1.3

→

EU Cloud

AES-256

→

eIDAS

QES

→

Standards & certifications.

eIDAS

Qualified electronic signature

Règlement UE 910/2014 · QES Level

✓ Compliant

Nexbasira uses Qualified Electronic Signature (QES) as defined by the EU eIDAS regulation. The highest level of electronic signature recognized in Europe, legally equivalent to a handwritten signature.

Legally enforceable

Accepted by courts in all 27 EU member states.

Verified identity

Video KYC + ID check before signing.

RFC 3161 timestamp

Qualified timestamp via trust authority.

Qualified Trust Service Provider

QTSP partner listed by ANSSI.

RGPD
GDPR

Personal data protection

Règlement UE 2016/679 · DPO certifié

✓ Compliant

Nexbasira is GDPR-native: data protection is built into the product, not bolted on after. Our DPO (Data Protection Officer) is AFNOR-certified.

EU data only

100% hosted in France & Germany. No transfers outside EU.

Right to erasure

Full erasure on request, within 30 days max.

Data portability

Export all data in JSON/PDF at any time.

DPA / Subprocessing

Data Processing Agreement signed with every enterprise client.

ISO
27001

Information security management

Certifié 2026 · Audit annuel

✓ Certified

Nexbasira is ISO 27001 certified since 2026. Our ISMS covers the entire product scope, infrastructure, HR and business processes. Annual external audit.

End-to-end encryption

TLS 1.3 in transit, AES-256 at rest.

Strict access control

SSO, mandatory MFA, least-privilege principle.

Quarterly pentests

External penetration tests 4×/year + bug bounty.

Tested BCP / DRP

Business continuity plan tested 2×/year. RTO < 4h, RPO < 15min.

HDS

Health Data Hosting

Disponible sur demande · Plan Enterprise

Option

For clients in the medical sector or handling sensitive data, Nexbasira offers HDS hosting via OVHcloud, certified by the French Ministry of Health. Available on Enterprise plan.

Audits & attestations.

All our audit reports are available on request for enterprise clients (under NDA).

Audit / Certification

Auditor

Last update

Status

ISO 27001:2022

Bureau Veritas

Mar 2026

✓ ACTIVE

SOC 2 Type II

Mazars

Feb 2026

✓ ACTIVE

RGPD Audit

CNIL Compliance

Jan 2026

✓ ACTIVE

Pentest external

Synacktiv

Apr 2026

✓ PASSED

eIDAS QTSP

ANSSI listing

2025

✓ ACTIVE

Technical specs

For your security team.

Concrete answers to the usual checklist. Each line is in code, on this commit — not a marketing wishlist.

🇪🇺

Data residency

Primary region eu-central-1 (Frankfurt) + eu-west-3 (Paris)

Schrems II No US control plane. No US sub-processor on the audit chain or evidence storage.

Storage Encrypted S3 with org-prefixed keys. Lifecycle to cold archive at 90 days for eIDAS retention.

Self-host Available on Enterprise plan. Docker + Caddy stack documented.

🔐

Cryptography

Audit chain SHA-256 over canonical JSON envelopes. Previous-link reference per event. Per-session Postgres advisory lock.

Timestamping 3 independent TSAs — Tezos (YodaLedger), RFC 3161 (FreeTSA), OpenTimestamps (Bitcoin). Anchored at session-end + on-demand.

Webhook signing HMAC-SHA256 in t=...,v1=... format. 5-min clock-skew tolerance. Fernet-encrypted secret at rest.

API credentials SHA-256 + SECRET_KEY pepper at rest. Constant-time verify. Soft-revoke preserves the audit trail.

Field tokens Single-use JWT HS256, IP/UA-pinned, time-boxed, scoped to one session + one participant.

PAdES signing Detached PKCS#7/CMS in PDF signature dict. RFC 3161 timestamp over signature value. Subfilter ETSI.CAdES.detached.

🛡

Access controls

Tenant isolation Postgres Row-Level Security on every multi-tenant table. app.current_org as session-level GUC enforced by middleware on every request.

RBAC 4 system roles per org (org_admin / inspector / observer / auditor) + custom roles. Slug-checked at view layer + cross-checked by RLS.

MFA TOTP. Per-org policy: MFA required for org_admin role if enabled.

SSO OIDC + SAML 2.0. JIT provisioning gated by email-domain allowlist + default role.

SCIM SCIM 2.0 endpoint with per-org bearer token. Standard /Users + /Groups resources.

⚙️

Operational security

CI gate ruff strict gate (backend) + eslint strict (frontend) + Playwright E2E + pytest + vitest. Single warning fails the build.

SBOMs CycloneDX SBOMs published per build (backend + 3 frontend projects + 3 SDK packages).

Dependency scanning pip-audit on requirements.txt + npm audit on every package on every CI run.

Reproducible builds Docker images pinned by digest. requirements.txt + package-lock.json committed.

Logging Structured JSON logs. No raw PII in logs. 30-day hot retention, 1-year cold.

Responsible disclosure

Found something?

We appreciate it. Here are the commitments we make in return, and the secure channel to reach us.

Acknowledgement within 2 business days

Human reply, not an autoresponder. You know we've read it.

Triage and CVE within 5 days

Severity classification, internal ID assignment, remediation queued.

Critical fixes within 7 days

For critical vulnerabilities post-triage. Advisories follow CVE conventions.

Public credit & bounty

Public hall of fame if you wish. Monetary rewards by severity.

Secure email

security@nexbasira.com

PGP key — fingerprint

A1B2 C3D4 E5F6 0708 1920 · 3132 3435 3637 3839 4041

Public key

/.well-known/pgp.asc

Full policy

/.well-known/security.txt

Please don't disclose publicly until we've shipped a fix. We keep you posted at every step.

Need the security questionnaire?

CAIQ, VSA, SIG, or your own format — we respond within 5 business days and ship the artifacts (SBOM, pentest reports, attestations).

Request questionnaire → See Privacy & GDPR