Our applications are hosted by Google Cloud Platform. We use Google's infrastructure to distribute our services.
Google Cloud Platform adheres to strict security and data privacy policies.
Google Cloud Platform undergoes independent audits of their security, privacy, and compliance controls to help us achieve our regulatory and policy goals. Details of their compliance services, such as ISO/IEC 27001/27017/27018/27701, SOC 1/2/3, PCI DSS, and FedRAMP certifications, as well as alignment with HIPAA, GDPR, and CCPA laws and regulations, among others, can be found in our Compliance Resource Center.
We perform account and entitlement review (at least 1 time per month) on our network infrastructures.
Our network infrastructure is composed of several layers of security
The data is hosted at Google Cloud Platform in Belgium (for European customers).
All critical data (passwords and access tokens) are encrypted with proven encryption algorithms.
We use TLS to transmit data securely.
We take care of the generation, renewal and implementation of the SSL certificate on our load balancers. Our SSL certificates use recommended encryption algorithms. We perform regular tests on our domains to evaluate the quality of our SSL encryption.
The Nonli analytics tag operates on a sub-domain of the client's main domain. This allows us to use a secure, strict first-party cookie that does not require a consent request. This cookie contains the key "nli" and as a value a uuid that corresponds to a unique anonymous user id.
All data collected through this tag is anonymized and not consolidated with other domains. No personal data is collected through this tag.
A dedicated link is available (example: https://nonli.com/cookie/consent) in order to allow the user to deactivate the tracking if necessary.
We commit ourselves not to use the data of our customers for our own account.
We do our best to respect an availability rate of 99.99%.
The availability of the service is available on our statuspage
We replicate and back up all our data several times a day. We play disaster recovery scenarios regularly to restore service as quickly as possible.
All our applications are developed internally by our employees on permanent contracts, we do not use any external service provider or subcontractor.
Our developers regularly practice peer programming. All developments are unit tested and functionally tested.
Nous avons des environnements de QA dédiés, si un test ne passe pas le code ne pourra pas être déployé en production.
We have dedicated QA environments, if a test does not pass the code cannot be deployed in production.
We follow the OWASP recommendations.
Before the deployment in production, we have a strict validation process of the :
If the development does not pass one of these validation steps, the code must be improved until all steps are validated.
We scan the application with external tools that inspect for security flaws, potential bugs, code quality and run weekly reports.
Administrators can create specific roles for each department of the company with a very fine granularity.
It is possible to create transverse roles for several brands in read and/or write and add specific rights per resource.
All our connections require two-factor authentication (2FA) with phone number and SMS validation. Sessions must be unique by device type. It is allowed to have 2 simultaneous sessions on desktop and mobile.
If 2 sessions are initiated on 2 desktop simultaneously the first session will be invalidated.
Each password modification must be validated by email.Each email modification must be validated by SMS.Each phone modification must be validated by email.
All employees are trained in security and the staff does regular workshops on the OWASP recommendations and on the literature we discover every week by doing monitoring. We dedicate 1 to 2 hours per week per employee on computer security awareness.
We regularly perform penetration tests internally to combine theory and practice.
We consider networks as untrustworthy, that's why we have put in place protection and installation procedures. The development machines are all installed according to a unified protocol in order to guarantee the update and the setting in conformity of all the data-processing park (encryption, firewall, restriction of access by fingerprint?).
The sessions of our workstations are automatically locked after 5 minutes.
The personnel is sensitized with the confidentiality, the integrity and the sensitization of the data of all our customers.
We perform regular security tests with Cloud Web Security Scanner and Scrutinizer. Our customers have the possibility to perform external security audits and penetration tests.
Vulnerabilities can be reported to us at email@example.com
The company's employees make their best efforts to apply the ISO 27001 and ISO 27002 standards.
Nonli is compliant with the GDPR regulations.
The data subject to the GDPR are the data necessary for the proper functioning and security of the platform. When a company becomes inactive in Nonli, it is deleted as well as the users attached to the company, no personal data is kept.
Nonli is PCI-DSS compliant. Adyen is fully compliant with PCI DSS 3.2 as a Level 1 provider. This is the primary security standard governing the payments industry.
As a payment institution, Adyen is fully supervised by the Dutch Central Bank and we comply with the requirements of the European Payment Services Directive (EU Directive 2015/2366), as well as any other requirements applicable to the financial services provided by Adyen.
Adyen is compliant with ISAE3402/SOC 1 (Service Organizational Control 1), which assesses and tests internal controls over financial reporting within a service organization. This reflects the service organization's compliance with policies and procedures and involves monitoring, training, and testing of policies and procedures.
Nonli is an official partner of Facebook, Instagram, Twitter and LinkedIn. Nonli joined the Google Startup Pack program and then became a Google Partner.
Nonli has obtained the status of Young Innovative Company issued by the Ministry of Research.