Written for organisations who actually read DPAs.
A summary of where your data lives, who can touch it, and how you get it back. The operational overview is public here; procurement and onboarding materials are shared in full during review.
Honest note
Nordbrief does not claim controls I can't evidence yet. The programme is being built for real; no badges before proof.
Security & GDPR
Written for organisations who actually read DPAs.
Control areaStatusDetail
Data residencyIn placeNordbrief is deployed on Vercel with the Stockholm region configured for application runtime. Production persistence, backups, and integration-specific data flows are reviewed during access and DPA setup before real organisational data is added.
DPA during access reviewIn placeDPA details are handled during access review and onboarding. Versioning and signer records should stay visible before any organisation enters production use.
AuthenticationPilotEmail and password (bcrypt), Google Workspace SSO, and Suomi.fi (Finnish eID) over OIDC + PKCE. Microsoft SSO and two-factor authentication are planned before general availability — not live yet.
Export & deleteIn placeGrant data exports as CSV from the ledger today. Full-workspace export and account deletion are handled through the Settings panel and during access review; a deletion request is processed within 30 days and confirmed by email.
Controls programmeWorking towardWorking toward ISO 27001-aligned controls. Current state is disclosed plainly in the Security Addendum rather than badged. No claims we can't show evidence for.
Sub-processorsIn placeVercel for application hosting, Stripe when paid billing is enabled, and Resend when transactional email is configured. The current list is maintained at /sub-processors and reviewed before production access.
Frequently asked
Can I sign a custom DPA?Yes. Institution and Consortium plans can request a custom DPA. Email hei@nordbrief.fi with your legal team in copy.
Do you store henkilötunnus?Never in plaintext. Suomi.fi PICs are hashed server-side and only used as session identifiers; we do not surface them in any UI.
Where are backups stored?Backup location and retention are confirmed during production access review. The public commitment is that organisational data is kept in EU-hosted infrastructure unless a specific integration is explicitly approved.