Trust & Security
Last updated: 2026-07-08
NISDESK helps compliance and security teams work through NIS2 and DORA obligations. Below is a plain, verifiable account of how we host your data, how our guidance is generated, and what security controls are in place. We'd rather under-claim than over-claim — if something isn't here, we don't do it yet.
EU-region data hosting
Your data is stored in Supabase's Frankfurt (EU) region. Application servers run on Hetzner infrastructure in Germany. We do not transfer personal data outside the EU/EEA, and we process it in accordance with the GDPR. Full details on sub-processors and legal bases are in our Privacy Policy.
How our guidance is sourced
Our AI-generated explanations are grounded in a corpus built from the actual text of the NIS2 Directive (EU) 2022/2555 and DORA (EU) 2022/2554. When you request an explanation for a compliance gap, the system:
- Embeds your question and retrieves the nearest matching articles from the regulation corpus, discarding any match below a minimum similarity threshold — so an out-of-scope question never gets padded with irrelevant context.
- Instructs the model to rely only on the retrieved article text and to cite the specific articles it used, rather than generating legal text from memory.
- Cross-checks every article citation the model produces against the articles that were actually retrieved, and flags any citation that can't be verified against the source corpus for internal review.
This doesn't make the output infallible — see below — but it means answers are traceable back to specific articles rather than free-form generation.
Security posture
- All traffic is served over HTTPS with HTTP Strict Transport Security (HSTS) enabled.
- A strict Content Security Policy restricts script, style, and connection origins to a known allowlist.
- Data is encrypted in transit (TLS) and at rest (AES-256, via Supabase infrastructure).
- Database access follows least-privilege, role-based access control.
- Additional hardening headers are in place: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and a restrictive Permissions-Policy.
- We run a responsible disclosure program per RFC 9116. If you find a vulnerability, please report it to security@nisdesk.com.
What this is / isn't
NISDESK is a decision-support tool. It helps you determine whether NIS2/DORA likely applies to your organisation, identify gaps against the relevant articles, and produce audit-ready draft documentation. It is not a law firm, and its output is not legal advice. Final scope determinations, regulatory filings, and legal interpretations should be reviewed by qualified legal counsel — particularly since exact obligations depend on how each EU member state has transposed the directive.
Data ownership & export
You own the data you put into NISDESK — assessment answers, gap analyses, and generated reports. You can request an export in a machine-readable format or request permanent deletion of your account and data at any time, per your GDPR rights, by emailing privacy@nisdesk.com. We respond within 30 days. See our Privacy Policy for the full list of data subject rights.
Last updated: 2026-07-08
Questions about this page? Contact security@nisdesk.com.