Written for organisations who actually read DPAs.
A summary of where your data lives, who can touch it, and how you get it back. The operational overview is public here; procurement and onboarding materials are shared in full during review.
Nordbrief does not claim controls I can't evidence yet. The programme is being built for real; no badges before proof.
Data residency
Production personal data stays inside the EU — eu-central-1 (Frankfurt) with encrypted backup replication to eu-north-1 (Stockholm). No data leaves the EU without explicit opt-in for specific integrations (none of which are on by default).
In placeSigned DPA at sign-up
Every organisation signs the DPA during onboarding. Consent timestamp, signer identity, and version hash are recorded. Updates are announced 30 days in advance and require re-signature.
In placeAuthentication
Email + password with bcrypt, work SSO (Google / Microsoft), and Suomi.fi (Finnish eID) with OIDC + PKCE. 2FA is available on every plan; required on Institution and Consortium.
PilotFull export & delete
Every organisation admin can export their full workspace as a ZIP at any time, and request deletion in the Settings panel. Deletion is processed within 30 days and confirmed by email.
In placeControls programme
Working toward ISO 27001-aligned controls. Current state is disclosed plainly in the Security Addendum rather than badged. No claims we can't show evidence for.
Working towardSub-processors
AWS Frankfurt (hosting), Stripe Ireland (payments), Resend (transactional email). Current list is maintained at /sub-processors; any change is announced 30 days ahead.
In place