• Preamble
• Security of our infrastructures
• Network Security
• Data Security
• Data Location
• Critical Data
• Data Transport
• Management of the Client-Delegated Shortened Domain
• Confidentiality and Ownership of Client Assets
• Use of Private Data
• Ownership and Use of Client Assets
• Confidentiality of Assets
• A consent-exempt audience analytics solution
• How the Nonli analytics tag (SDK) works
• Service availability
• Disaster recovery et continuité de service
• Security of Nonli Applications
• Development Method
• Application Security Inspection and Scanning
• Security and Access Rights in Nonli
• Resource Access Management
• Authentication
• API Access
• Company Security
• Personnel and Equipment Security
• Security Audit
• Reporting a Security Incident
• Compliance and Certifications
• Transaction Compliance
• Partnership and Status
• Q&A
• Do you ensure compliance with legal data retention periods? Retention periods and justification.

Updated on April 28, 2025

Preamble

We make every effort to protect our users' data and privacy. We have a strict data protection and confidentiality policy that we continuously improve according to new standards and best practices.

Security of our infrastructures

Our applications are hosted on Google Cloud Platform. We use Google's infrastructure to distribute our services.

Google Cloud Platform adheres to strict rules regarding data security and confidentiality.

Google Cloud Platform undergoes independent verification of their security, privacy, and compliance control mechanisms to help us achieve our regulatory and strategic objectives. You can consult the details of their compliance services, such as ISO/IEC certifications 27001/27017/27018/27701, SOC 1/2/3, PCI DSS, and FedRAMP, as well as alignment with regulations such as HIPAA, GDPR, and CCPA, among others, in our compliance resource center.

We conduct a review of accounts and permissions (at least once a month) on our network infrastructures.

We work with DoiT International France SAS which is a Google Cloud Premier Partner to provide us with responsive support for Google Cloud Platform and make recommendations on best practices, cost optimization, and platform security. DoiT International France SAS does not have access to our infrastructures.

Network Security

Our network infrastructure is composed of multiple security layers.

• A virtual private cloud, with Cloud Identity and Access Management (IAM) access control
• A VPN to access the infrastructure
• IP address and port filtering
• A mitigation system to protect against malicious attacks

Data Security

Data Location

Data is hosted on Google Cloud Platform in Belgium (for European clients).

Critical Data

All critical data (passwords and access tokens) are encrypted using proven encryption algorithms.

Data Transport

We use TLS to securely transfer data.

Management of the Client-Delegated Shortened Domain

We handle the generation, renewal, and implementation of SSL certificates on our load balancers. Our SSL certificates use recommended encryption algorithms. We regularly perform tests on our domains to evaluate the quality of our SSL encryption.

Confidentiality and Ownership of Client Assets

Use of Private Data

Nonli formally commits not to communicate, share, sell, or use for commercial purposes or for its own account the private data of its clients. This data is strictly reserved for the intended use within the framework of services provided by Nonli, in accordance with the agreements concluded with each client.

Ownership and Use of Client Assets

1. All private assets provided by the client, including but not limited to fonts, images, logos, and any other graphic or textual content, remain the exclusive property of the client.
2. Nonli commits to use these assets only within the framework of services provided to the client via the Nonli platform, and exclusively on behalf of the client owner.
3. Nonli acquires no ownership rights or usage rights to these assets outside the framework defined by the agreement with the client.
4. Nonli commits not to use, reproduce, modify, or distribute these assets for any purpose other than that expressly authorized by the client within the framework of using the Nonli platform.
5. At the end of the business relationship, or upon client request, Nonli commits to cease all use of these assets and to delete them from its systems, unless otherwise required by law.

Confidentiality of Assets

Nonli commits to maintaining the confidentiality of assets provided by the client and to implementing appropriate security measures to prevent any unauthorized access, use, modification, or disclosure of these assets.

A consent-exempt audience analytics solution

How the Nonli analytics tag (SDK) works

The Nonli analytics tag operates independently on each domain. The collected data is completely anonymous and is never consolidated between different domains. The tag does not place any cookies and does not allow tracking of an individual user's journey.

The tag is deployed on a subdomain of the client's main domain. Traffic analysis is performed anonymously directly on our servers, without using cookies. The tag does not allow identification or tracking of a specific user's journey.

All data collected through this tag is anonymized and not consolidated with other domains. No personal data is collected through this tag.

We commit to not using our clients' data for our own purposes.

Service availability

We make our best efforts to maintain a 99.99% availability rate

Service availability can be viewed on our statuspage

Disaster recovery et continuité de service

Nous répliquons et sauvegardons toutes nos données plusieurs fois par jour. Nous jouons des scénarios de disaster recovery régulièrement afin de rétablir le service le plus rapidement possible.

Security of Nonli Applications

All our applications are developed internally by our permanent employees. We do not use any external service providers or outsourcing.

Development Method

Our developers regularly practice pair programming. All developments undergo unit and functional testing.

We have dedicated QA environments. If a test fails, the code cannot be deployed to production.

Our developers regularly participate in training to stay current with best practices for combating security vulnerabilities.

We follow OWASP recommendations.

Before deployment to production, we have a strict code validation process:

1. Each development must be deployed in an isolated and secure "sandbox" environment
2. Pull Requests must be reviewed and approved by other developers
3. Unit tests must pass successfully
4. Functional tests must be validated
5. Non-regression tests must be validated
6. The code quality score must not decrease
7. No security vulnerabilities should be revealed by our external code audit and security tools.

If the development does not pass one of these validation steps, the code must be improved until it passes all steps.

Application Security Inspection and Scanning

We scan the application with external tools that inspect security vulnerabilities, potential bugs, code quality and generate weekly reports.

Security and Access Rights in Nonli

Resource Access Management

Administrators have the ability to create specific roles for each company department with very fine granularity.

It is possible to create cross-functional roles across multiple brands with read and/or write access and add specific rights per resource.

Authentication

All our connections require two-factor authentication (2FA) with phone number and SMS validation. Sessions must be unique per device type. It is permitted to have 2 simultaneous sessions on desktop and mobile. If 2 sessions are initiated on 2 desktops simultaneously, the first session will be invalidated. The same applies for simultaneous sessions on mobile.

Each password change must be validated by email.

Each email change must be validated by SMS.

Each phone number change must be validated by email.

API Access

A username/password access is provided to use the server-to-server API. In order to use the REST API, you need to request a token during authentication. This token is valid for 7 days.

Company Security

Personnel and Equipment Security

All employees are trained in security, and staff regularly participate in workshops on OWASP recommendations as well as on literature we discover through our weekly monitoring. We dedicate 1 to 2 hours per week per employee on IT security awareness.

We regularly conduct internal penetration tests to combine theory with practice.

We consider networks as untrustworthy, which is why we have implemented protection and installation procedures. Development machines are all installed following a unified protocol to ensure updates and compliance across all IT equipment (encryption, firewall, fingerprint access restriction...).

Our workstation sessions are automatically locked after 5 minutes.

Staff are made aware of the confidentiality, integrity, and sensitivity of all our clients' data.

Security Audit

We regularly perform security tests with Cloud Web Security Scanner on a weekly basis, as well as Scrutinizer daily. Our clients have the possibility to conduct external security audits and penetration tests by informing us beforehand.

Reporting a Security Incident

Vulnerabilities can be reported to us at support@nonli.com

Compliance and Certifications

The company's employees make their best efforts to apply ISO 27001 and SOC 2 standards.

Nonli follows strict rules regarding data security, confidentiality, and compliance, and adheres to ISO 27001 and SOC 2 standards. However, due to the high cost of these certifications, we have not yet been able to implement them.

Nonli is compliant with GDPRregulations.

The data subject to GDPR are the data necessary for the proper functioning and security of the platform. When a company becomes inactive in Nonli, it is deleted along with the users attached within the company, and no personal data is retained.

Transaction Compliance

Nonli is compliant with the PCI-DSS standard. Credit card transactions are managed by ADYEN.

Adyen is fully compliant with PCI DSS 3.2 as a Level 1 service provider. This is the main security standard governing the payment industry.

As a payment institution, Adyen is fully supervised by the central bank of the Netherlands and we comply with the requirements of the European Payment Services Directive (EU Directive 2015/2366), as well as any other requirements applicable to financial services provided by Adyen.

Adyen complies with the ISAE3402/SOC 1 (Service Organizational Control 1) standard, which evaluates and tests internal controls on financial reporting within a service organization. This reflects the service organization's compliance with policies and procedures and involves monitoring, training, and verification of policies and procedures.

Partnership and Status

Nonli is an official partner of Facebook, Instagram, Twitter, and LinkedIn. Nonli joined the Google Startup Pack program and subsequently became a Google Partner.

Nonli obtained the Young Innovative Company status issued by the Ministry of Research.

Q&A

Do you ensure compliance with legal data retention periods? Retention periods and justification.

Yes, we comply with legal data retention periods and justify them through our legal and regulatory obligations. We implement procedures for regular deletion and archiving of data according to their legal retention period.