Security overview

Production workloads run on Hetzner Online GmbH (Germany) — an EU-owned, EU-based provider. AI inference for transcription and related features runs on Verda Cloud (DataCrunch OÜ, Estonia / Finland). All production data resides in the European Economic Area.

End-user authentication is handled by Ory Kratos (self-hosted), fronted by Heimdall as the JWT-issuing gateway. Native clients use Ory Hydra for OIDC. Internal access follows least-privilege via Keto-managed role tuples; production credentials are short-lived and rotated.

TLS 1.3 in transit, with HSTS enforced on customer-facing subdomains. AES-256 at rest for primary data stores and backups.

Daily encrypted backups for production databases with thirty (30) day retention. Backup restore is exercised on a recurring schedule.

Application logs and access logs are pseudonymised and retained for thirty (30) days for security investigation. Billing-relevant records (invoices, payment events) are retained for the periods required under § 257 HGB and § 147 AO (six to ten years).

Dependencies are tracked via lockfiles and continuously scanned; critical security advisories are patched as a priority. The production infrastructure is reconciled by Flux from a versioned Git repository — no ad-hoc manual deploys.

We notify affected customers within seventy-two (72) hours of becoming aware of a personal data breach, in line with Art. 33 GDPR and our DPA. Security reports from researchers are welcomed at security@nurion.com.

We target 99.5% monthly availability for the production service, measured at the public ingress, excluding scheduled maintenance and force majeure. This is an operational target, not a contractual SLA for self-serve subscriptions.

GDPR Art. 28 DPA available at /legal/dpa. EU AI Act Art. 50 transparency disclosures live at /legal/ai-act-compliance. Zero-cookie posture on marketing pages.

We do not currently hold ISO 27001 or SOC 2 certification. Certification is not on the roadmap for the current fiscal year. We will publish updates here when that changes.

The current list of subprocessors is published at /legal/subprocessors.

Security reports: security@nurion.com. PGP key available on request.