Encryption at rest & in transit
AES-256 for data at rest (Postgres on Supabase), TLS 1.2+ for every network exchange.
Trust & security
Everything CISOs want to see.
Selling cybersecurity holds you to a higher standard. Here is PolicyForge's security, compliance and operational posture — no jargon, no superlatives, verifiable.
Data protection
Your data, encrypted and isolated
EU hosting
Database and storage on Supabase (Frankfurt). Transactional email on Resend (EU). Monitoring on Sentry (Frankfurt). Vercel serves the frontend from its Edge nodes; serverless functions run in the US (iad1) under SCCs, as documented on our Subprocessors page.
See the subprocessor list →Multi-tenant isolation
Every customer organisation is isolated at the database level via Postgres Row Level Security. A query from one user can never return data from another organisation, even on an application bug.
Backups
Automated daily backups, 7-day retention. Supabase handles replication and point-in-time recovery on paid tiers.
Access control
Who accesses what, traced end-to-end
Two-factor authentication (2FA)
Available to every user via TOTP (Google Authenticator, 1Password, Authy). Mandatory for admin and super_admin roles in your organisation.
Role-based access control (RBAC)
Three roles: user (default), admin (organisation management), super_admin (global). Least-privilege principle applied throughout, checked server-side on every action.
Timestamped audit log
Every sensitive action (policy create/delete, role change, payment, profile edit) is logged with actor, timestamp and context. Admins can inspect it from the dashboard.
GDPR compliance
Compliant by design
Downloadable DPA
Our Data Processing Agreement (GDPR Article 28) is available as a counter-signable PDF. No need to contact us first: download, sign, return.
Download the DPA →Self-service data subject rights
Your users can export their data (Art. 15 & 20) and delete their account (Art. 17) directly from their settings, no admin intervention required. Every action is recorded in the audit log.
Strictly necessary cookies only
Authentication session and language preference. No marketing cookies, no third-party trackers, no cookie-based analytics. Page analytics via Cloudflare Web Analytics (cookieless).
Privacy Notice
Written in plain language, covering the 13 GDPR-mandated sections: lawful bases, purposes, retention, international transfers, security, your rights, DPO contact.
Read the Privacy Notice →Incident response
If something goes wrong
Breach notification
In the event of a personal data breach, we notify each affected customer organisation within 48 hours (internal target) and the CNIL within 72 hours per GDPR Article 33.
Coordinated disclosure
Security researchers welcome. Our security.txt (RFC 9116) lists the contact, scope and our commitment not to pursue good-faith research.
security.txt →Security team contact
security@nagashieldsecurity.com
Certifications
Compliance roadmap
ISO 27001 — targeted Q4 2026
In progress. We write our own internal policies with… PolicyForge.
SOC 2 Type II — targeted H1 2027
For our US customers. Annual audit by an accredited CPA firm.
Reports & evidence
Certification and pentest reports will be available on request under NDA as soon as they are issued. Track progress on our public roadmap.
See the public roadmap →Need something else?
Vendor security questionnaire, attestation, pentest report, on-site audit, specific contract clause… Email us, we respond within 48h.
Published by NAGASHIELD SECURITY · SAS, share capital €1 · Paris RCS 989 235 999 · 60 rue François 1er, 75008 Paris, France