Updated on May 19, 2023

• Preamble
• Security of our infrastructure
• Network Security
• Data Security
• Data Location
• Critical Data
• Data Transport
• Management of the delegated shortened domain by the client
• Confidentiality and ownership of client assets
• Use of private data
• Ownership and use of client assets
• Confidentiality of assets
• A Consent-Exempt Audience Analysis Solution
• Nonli Analytics Tag (SDK) Operation
• Service Availability
• Disaster Recovery and Service Continuity
• Nonli Application Security
• Development Method
• Application Security Inspection and Scanning
• Security and Access Rights in Nonli
• Resource Access Management
• Authentication
• API Access
• Company Security
• Personnel and Equipment Security
• Security Audit
• Report a Security Incident
• Compliance and Certifications
• Compliance on Transactions
• Partnership and Status

Preamble

We make every effort to protect the data and privacy of our users. We have a strict data protection and privacy policy that we constantly improve in line with new standards and best practices.

Security of our infrastructure

Our applications are hosted by Google Cloud Platform. We use Google's infrastructure to distribute our services.

Google Cloud Platform adheres to strict rules regarding security and data privacy.

Google Cloud Platform undergoes independent verification of their security, privacy, and compliance control devices to help us achieve our regulatory and strategic goals. Details of their compliance service, such as ISO/IEC certifications 27001/27017/27018/27701, SOC 1/2/3, PCI DSS, and FedRAMP, as well as alignment with laws and regulations such as HIPAA, GDPR, and CCPA, among others, can be found in our compliance resource center.

We perform account and rights reviews (at least once a month) on our network infrastructure.

We work with DoiT International France SAS, which is a Google Cloud Premier Partner, to provide us with responsive support for Google Cloud Platform and to make recommendations on best practices, cost optimization, and platform security. DoiT International France SAS does not have access to our infrastructure.

Network Security

Our network infrastructure is composed of several layers of security.

• A virtual private cloud, with Cloud Identity and Access Management (IAM) access control
• IP and port filtering
• A mitigation system to protect against malicious attacks

Data Security

Data Location

Data is hosted with Google Cloud Platform in Belgium (for European clients).

Critical Data

All critical data (passwords and access tokens) is encrypted with proven encryption algorithms.

Data Transport

We use TLS to securely transport data.

Management of the delegated shortened domain by the client

We support the generation, renewal, and implementation of the SSL certificate on our load balancers. Our SSL certificates use recommended encryption algorithms. We regularly test our domains to evaluate the quality of our SSL encryption.

Confidentiality and ownership of client assets

Use of private data

Nonli formally commits to not communicating, sharing, selling, or using its clients' private data for commercial purposes or for its own account. This data is strictly reserved for the intended use within the framework of services provided by Nonli, in accordance with the agreements concluded with each client.

Ownership and use of client assets

1. All private assets provided by the client, including but not limited to fonts, images, logos, and any other graphic or textual content, remain the exclusive property of the client.
2. Nonli commits to using these assets only within the framework of services provided to the client via the Nonli platform, and exclusively on behalf of the owning client.
3. Nonli does not acquire any ownership or usage rights to these assets outside the framework defined by the agreement with the client.
4. Nonli commits to not using, reproducing, modifying, or distributing these assets for any purpose other than that expressly authorized by the client in the context of using the Nonli platform.
5. At the end of the business relationship, or upon the client's request, Nonli commits to ceasing all use of these assets and deleting them from its systems, unless otherwise required by law.

Confidentiality of assets

Nonli commits to maintaining the confidentiality of assets provided by the client and to implementing appropriate security measures to prevent any unauthorized access, use, modification, or disclosure of these assets.

A Consent-Exempt Audience Analysis Solution

Nonli Analytics Tag (SDK) Operation

The Nonli analytics tag operates on a subdomain of the client's main domain. This allows us to use a secure, strict first-party cookie that does not require consent. This cookie contains the "nli" key and a value that is a unique anonymous ID for the user. The cookie is used to analyze traffic and helps us eliminate traffic generated by bots. The tag and cookie do not allow the distinct path of a single user to be isolated.

All data collected through this tag is anonymized and not consolidated with other domains. No personal data is collected through this tag.

A dedicated link is available (example: https://nonli.com/cookie/consent) to allow the user to disable tracking if desired. The "nli_consent" cookie is used to determine if the user wants to disable tracking.

We are committed to not using our clients' data for our own purposes.

Input filtering is performed to retrieve only the contents of the "nli" and "nli_consent" cookies.

Service Availability

We make our best efforts to maintain a 99.99% availability rate.

Service availability is available on our status page.

Disaster Recovery and Service Continuity

We replicate and backup all our data several times a day. We regularly perform disaster recovery scenarios to restore service as quickly as possible.

Nonli Application Security

All our applications are developed in-house by our permanent employees. We do not use any external providers or subcontractors.

Development Method

Our developers regularly practice pair programming. All development is tested unitarily and functionally.

We have dedicated QA environments. If a test does not pass, the code cannot be deployed in production.

Our developers regularly attend training to stay up-to-date with best practices for combating security vulnerabilities.

We follow the recommendations of OWASP.

Before deployment in production, we have a strict code validation process:

1. Each development must be deployed in an isolated and secure "sandbox" environment
2. Pull requests must be reviewed and approved by other developers
3. Unit tests must pass in green
4. Functional tests must be validated
5. Regression tests must be validated
6. The code quality score must not decrease
7. No security vulnerabilities should be revealed by our external code audit and security tools.

If development fails any of these validation steps, the code must be improved until all steps are validated.

Application Security Inspection and Scanning

We scan the application with external tools that inspect security vulnerabilities, potential bugs, code quality, and generate weekly reports.

Security and Access Rights in Nonli

Resource Access Management

Administrators have the ability to create specific roles for each company service with very fine granularity.

It is possible to create cross-brand roles in read and/or write and add specific rights per resource.

Authentication

All our connections require two-factor authentication (2FA) with phone number and SMS validation. Sessions must be unique by device type. It is allowed to have 2 simultaneous sessions on desktop and mobile. If 2 sessions are initiated on 2 desktops simultaneously, the first session will be invalidated. The same goes for simultaneous sessions on mobile.

Each password change must be validated by email.

Each email change must be validated by SMS.

Each phone change must be validated by email.

API Access

A user/password access is provided to use the server-to-server API. To use the REST API, a token must be requested during authentication. This token is valid for 7 days.

Company Security

Personnel and Equipment Security

All employees are trained in security and personnel regularly attend workshops on OWASP recommendations as well as on the literature we discover every week when conducting research. We devote 1 to 2 hours per week per employee to raising awareness of computer security.

We regularly perform internal penetration testing to combine theory with practice.

We consider networks to be unreliable, which is why we have implemented protection and installation procedures. Development machines are all installed following a unified protocol to ensure the update and compliance of the entire IT fleet (encryption, firewall, access restriction by fingerprint, etc.).

Our workstations' sessions are automatically locked after 5 minutes.

Personnel are trained in confidentiality, data integrity, and data sensitivity for all our clients.

Security Audit

We regularly conduct security tests with Cloud Web Security Scanner and Scrutinizer. Our clients have the option to perform external security audits and penetration tests by informing us in advance.

Report a Security Incident

Vulnerabilities can be communicated to us at support@nonli.com.

Compliance and Certifications

The company's employees do their best to comply with ISO 27001 and SOC 2 standards.

Nonli complies with the GDPR regulation (https://www.notion.so/RGPD-Traitement-des-donn-es-Nonli-dde600e646bd433e85264d528adbb88b?pvs=21).

Data submitted to the GDPR is data necessary for the proper functioning and security of the platform. When a company becomes inactive in Nonli, it is deleted along with any users associated with it, and no personal data is retained.

Compliance on Transactions

Nonli is compliant with the PCI-DSS standard. Credit card transactions are handled by ADYEN.

Adyen is fully compliant with PCI DSS 3.2 as a level 1 provider. This is the main security standard governing the payment sector.

As a payment institution, Adyen is fully supervised by the central bank of the Netherlands and we comply with the requirements of the European directive on payment services (EU Directive 2015/2366), as well as any other requirements applicable to financial services provided by Adyen.

Adyen is compliant with the ISAE3402/SOC 1 standard (Service Organizational Control 1), which assesses and tests internal controls on financial reports within a service organization. This reflects the organization's compliance with policies and procedures and involves monitoring, training, and verification of policies and procedures.

Partnership and Status

Nonli is an official partner of Facebook, Instagram, Twitter, and LinkedIn. Nonli has integrated the Google Startup Pack program and then became a Google Partner.

Nonli has obtained the status of Jeune Entreprise Innovante issued by the Ministry of Research.