Updated on May 19, 2023
- Security of our infrastructure
- Network Security
- Data Security
- Data Location
- Critical Data
- Data Transport
- Management of the delegated shortened domain by the client
- A Consent-Exempt Audience Analysis Solution
- Nonli Analytics Tag (SDK) Operation
- Service Availability
- Disaster Recovery and Service Continuity
- Nonli Application Security
- Development Method
- Application Security Inspection and Scanning
- Security and Access Rights in Nonli
- Resource Access Management
- API Access
- Company Security
- Personnel and Equipment Security
- Security Audit
- Report a Security Incident
- Compliance and Certifications
- Compliance on Transactions
- Partnership and Status
Security of our infrastructure
Our applications are hosted by Google Cloud Platform. We use Google's infrastructure to distribute our services.
Google Cloud Platform adheres to strict rules regarding security and data privacy.
Google Cloud Platform undergoes independent verification of their security, privacy, and compliance control devices to help us achieve our regulatory and strategic goals. Details of their compliance service, such as ISO/IEC certifications 27001/27017/27018/27701, SOC 1/2/3, PCI DSS, and FedRAMP, as well as alignment with laws and regulations such as HIPAA, GDPR, and CCPA, among others, can be found in our compliance resource center.
We perform account and rights reviews (at least once a month) on our network infrastructure.
We work with DoiT International France SAS, which is a Google Cloud Premier Partner, to provide us with responsive support for Google Cloud Platform and to make recommendations on best practices, cost optimization, and platform security. DoiT International France SAS does not have access to our infrastructure.
Our network infrastructure is composed of several layers of security.
- A virtual private cloud, with Cloud Identity and Access Management (IAM) access control
- IP and port filtering
- A mitigation system to protect against malicious attacks
Data is hosted with Google Cloud Platform in Belgium (for European clients).
All critical data (passwords and access tokens) is encrypted with proven encryption algorithms.
We use TLS to securely transport data.
Management of the delegated shortened domain by the client
We support the generation, renewal, and implementation of the SSL certificate on our load balancers. Our SSL certificates use recommended encryption algorithms. We regularly test our domains to evaluate the quality of our SSL encryption.
A Consent-Exempt Audience Analysis Solution
Nonli Analytics Tag (SDK) Operation
The Nonli analytics tag operates on a subdomain of the client's main domain. This allows us to use a secure, strict first-party cookie that does not require consent. This cookie contains the "nli" key and a value that is a unique anonymous ID for the user. The cookie is used to analyze traffic and helps us eliminate traffic generated by bots. The tag and cookie do not allow the distinct path of a single user to be isolated.
All data collected through this tag is anonymized and not consolidated with other domains. No personal data is collected through this tag.
A dedicated link is available (example: https://nonli.com/cookie/consent) to allow the user to disable tracking if desired. The "nli_consent" cookie is used to determine if the user wants to disable tracking.
We are committed to not using our clients' data for our own purposes.
Input filtering is performed to retrieve only the contents of the "nli" and "nli_consent" cookies.
We make our best efforts to maintain a 99.99% availability rate.
Service availability is available on our status page.
Disaster Recovery and Service Continuity
We replicate and backup all our data several times a day. We regularly perform disaster recovery scenarios to restore service as quickly as possible.
Nonli Application Security
All our applications are developed in-house by our permanent employees. We do not use any external providers or subcontractors.
Our developers regularly practice pair programming. All development is tested unitarily and functionally.
We have dedicated QA environments. If a test does not pass, the code cannot be deployed in production.
Our developers regularly attend training to stay up-to-date with best practices for combating security vulnerabilities.
We follow the recommendations of OWASP.
Before deployment in production, we have a strict code validation process:
- Each development must be deployed in an isolated and secure "sandbox" environment
- Pull requests must be reviewed and approved by other developers
- Unit tests must pass in green
- Functional tests must be validated
- Regression tests must be validated
- The code quality score must not decrease
- No security vulnerabilities should be revealed by our external code audit and security tools.
If development fails any of these validation steps, the code must be improved until all steps are validated.
Application Security Inspection and Scanning
We scan the application with external tools that inspect security vulnerabilities, potential bugs, code quality, and generate weekly reports.
Security and Access Rights in Nonli
Resource Access Management
Administrators have the ability to create specific roles for each company service with very fine granularity.
It is possible to create cross-brand roles in read and/or write and add specific rights per resource.
All our connections require two-factor authentication (2FA) with phone number and SMS validation. Sessions must be unique by device type. It is allowed to have 2 simultaneous sessions on desktop and mobile. If 2 sessions are initiated on 2 desktops simultaneously, the first session will be invalidated. The same goes for simultaneous sessions on mobile.
Each password change must be validated by email.
Each email change must be validated by SMS.
Each phone change must be validated by email.
A user/password access is provided to use the server-to-server API. To use the REST API, a token must be requested during authentication. This token is valid for 7 days.
Personnel and Equipment Security
All employees are trained in security and personnel regularly attend workshops on OWASP recommendations as well as on the literature we discover every week when conducting research. We devote 1 to 2 hours per week per employee to raising awareness of computer security.
We regularly perform internal penetration testing to combine theory with practice.
We consider networks to be unreliable, which is why we have implemented protection and installation procedures. Development machines are all installed following a unified protocol to ensure the update and compliance of the entire IT fleet (encryption, firewall, access restriction by fingerprint, etc.).
Our workstations' sessions are automatically locked after 5 minutes.
Personnel are trained in confidentiality, data integrity, and data sensitivity for all our clients.
We regularly conduct security tests with Cloud Web Security Scanner and Scrutinizer. Our clients have the option to perform external security audits and penetration tests by informing us in advance.
Report a Security Incident
Vulnerabilities can be communicated to us at firstname.lastname@example.org.
Compliance and Certifications
The company's employees do their best to comply with ISO 27001 and SOC 2 standards.
Nonli complies with the GDPR regulation (https://www.notion.so/RGPD-Traitement-des-donn-es-Nonli-dde600e646bd433e85264d528adbb88b?pvs=21).
Data submitted to the GDPR is data necessary for the proper functioning and security of the platform. When a company becomes inactive in Nonli, it is deleted along with any users associated with it, and no personal data is retained.
Compliance on Transactions
Nonli is compliant with the PCI-DSS standard. Credit card transactions are handled by ADYEN.
Adyen is fully compliant with PCI DSS 3.2 as a level 1 provider. This is the main security standard governing the payment sector.
As a payment institution, Adyen is fully supervised by the central bank of the Netherlands and we comply with the requirements of the European directive on payment services (EU Directive 2015/2366), as well as any other requirements applicable to financial services provided by Adyen.
Adyen is compliant with the ISAE3402/SOC 1 standard (Service Organizational Control 1), which assesses and tests internal controls on financial reports within a service organization. This reflects the organization's compliance with policies and procedures and involves monitoring, training, and verification of policies and procedures.
Partnership and Status
Nonli is an official partner of Facebook, Instagram, Twitter, and LinkedIn. Nonli has integrated the Google Startup Pack program and then became a Google Partner.
Nonli has obtained the status of Jeune Entreprise Innovante issued by the Ministry of Research.