Security, Data Management, Privacy


We make every effort to protect the data and privacy of our users. We have a strict data protection and privacy policy that we are constantly improving in line with new standards and best practices.

Security of our infrastructures

Our applications are hosted by Google Cloud Platform. We use Google's infrastructure to distribute our services.

Google Cloud Platform adheres to strict security and data privacy policies.

Google Cloud Platform undergoes independent audits of their security, privacy, and compliance controls to help us achieve our regulatory and policy goals. Details of their compliance services, such as ISO/IEC 27001/27017/27018/27701, SOC 1/2/3, PCI DSS, and FedRAMP certifications, as well as alignment with HIPAA, GDPR, and CCPA laws and regulations, among others, can be found in our Compliance Resource Center.

We perform account and entitlement review (at least 1 time per month) on our network infrastructures.

Network security

Our network infrastructure is composed of several layers of security

Data security

Data location

The data is hosted at Google Cloud Platform in Belgium (for European customers).

Critical data

All critical data (passwords and access tokens) are encrypted with proven encryption algorithms.

Data transport

We use TLS to transmit data securely.

Management of the shortened domain delegated by the customer

We take care of the generation, renewal and implementation of the SSL certificate on our load balancers. Our SSL certificates use recommended encryption algorithms. We perform regular tests on our domains to evaluate the quality of our SSL encryption.

How the Nonli analytics tag works

The Nonli analytics tag operates on a sub-domain of the client's main domain. This allows us to use a secure, strict first-party cookie that does not require a consent request. This cookie contains the key "nli" and as a value a uuid that corresponds to a unique anonymous user id.

All data collected through this tag is anonymized and not consolidated with other domains. No personal data is collected through this tag.

A dedicated link is available (example: in order to allow the user to deactivate the tracking if necessary.

We commit ourselves not to use the data of our customers for our own account.

Service availability

We do our best to respect an availability rate of 99.99%.

The availability of the service is available on our statuspage

Disaster recovery and service continuity

We replicate and back up all our data several times a day. We play disaster recovery scenarios regularly to restore service as quickly as possible.

Security of Nonli's applications

All our applications are developed internally by our employees on permanent contracts, we do not use any external service provider or subcontractor.

Development method

Our developers regularly practice peer programming. All developments are unit tested and functionally tested.

Nous avons des environnements de QA dédiés, si un test ne passe pas le code ne pourra pas être déployé en production.

We have dedicated QA environments, if a test does not pass the code cannot be deployed in production.

We follow the OWASP recommendations.

Before the deployment in production, we have a strict validation process of the :

  1. Each development must be deployed in an isolated and secure sandbox environment
  2. Pull Requests must be reviewed and approved by other developers
  3. Unit tests must be green
  4. The functional tests must be validated
  5. The non-regression tests must be validated
  6. The quality score of the code should not drop
  7. No security vulnerabilities should be revealed by our external code and security audit tools

If the development does not pass one of these validation steps, the code must be improved until all steps are validated.

Application security inspection and scanning

We scan the application with external tools that inspect for security flaws, potential bugs, code quality and run weekly reports.

Security and access rights in Nonli

Resource access management

Administrators can create specific roles for each department of the company with a very fine granularity.

It is possible to create transverse roles for several brands in read and/or write and add specific rights per resource.


All our connections require two-factor authentication (2FA) with phone number and SMS validation. Sessions must be unique by device type. It is allowed to have 2 simultaneous sessions on desktop and mobile.

If 2 sessions are initiated on 2 desktop simultaneously the first session will be invalidated.

Each password modification must be validated by email.Each email modification must be validated by SMS.Each phone modification must be validated by email.

Company security

Safety of personnel and equipment

All employees are trained in security and the staff does regular workshops on the OWASP recommendations and on the literature we discover every week by doing monitoring. We dedicate 1 to 2 hours per week per employee on computer security awareness.

We regularly perform penetration tests internally to combine theory and practice.

We consider networks as untrustworthy, that's why we have put in place protection and installation procedures. The development machines are all installed according to a unified protocol in order to guarantee the update and the setting in conformity of all the data-processing park (encryption, firewall, restriction of access by fingerprint?).

The sessions of our workstations are automatically locked after 5 minutes.

The personnel is sensitized with the confidentiality, the integrity and the sensitization of the data of all our customers.

Security audit

We perform regular security tests with Cloud Web Security Scanner and Scrutinizer. Our customers have the possibility to perform external security audits and penetration tests.

Report a security incident

Vulnerabilities can be reported to us at

Compliance and certifications

The company's employees make their best efforts to apply the ISO 27001 and ISO 27002 standards.

Nonli is compliant with the GDPR regulations.

The data subject to the GDPR are the data necessary for the proper functioning and security of the platform. When a company becomes inactive in Nonli, it is deleted as well as the users attached to the company, no personal data is kept.

Compliance on transactions

Nonli is PCI-DSS compliant. Adyen is fully compliant with PCI DSS 3.2 as a Level 1 provider. This is the primary security standard governing the payments industry.

As a payment institution, Adyen is fully supervised by the Dutch Central Bank and we comply with the requirements of the European Payment Services Directive (EU Directive 2015/2366), as well as any other requirements applicable to the financial services provided by Adyen.

Adyen is compliant with ISAE3402/SOC 1 (Service Organizational Control 1), which assesses and tests internal controls over financial reporting within a service organization. This reflects the service organization's compliance with policies and procedures and involves monitoring, training, and testing of policies and procedures.

Partnership and Status

Nonli is an official partner of Facebook, Instagram, Twitter and LinkedIn. Nonli joined the Google Startup Pack program and then became a Google Partner.

Nonli has obtained the status of Young Innovative Company issued by the Ministry of Research.