Security at Nordic Data

We welcome responsible disclosure of security vulnerabilities. Email [email protected] with details. We will acknowledge within 24 hours and target a fix within 14 days for confirmed critical or high severity issues.

In scope: nordicdata.cloud, api.nordicdata.cloud, the npm package nordic-data, the MCP server at cloud.nordicdata/nordic-data.

Out of scope: third-party services we link to (Stripe, Zoho, Vultr).

We do not run a paid bug bounty at this time. We will publicly acknowledge submitters with permission in the acknowledgments below.

• Auth: API keys hashed (sha256) at rest. Sandbox keys are rate-limited. Plans tier-gated.
• Transport: TLS 1.3 via Caddy with strict HSTS, ACME-renewed certificates.
• Rate limiting: per-key burst limit (100/min) enforced via Redis-backed token buckets.
• Audit log: every authenticated API call recorded in audit_log table (immutable, append-only).
• Backups: nightly pg_dump with 7-day retention. Weekly restore-test verifies dumps are restorable.
• Server isolation: postgres listens on 127.0.0.1 only. Containers communicate over private docker network.
• Secrets: credentials in /opt/nordic-api/.env with 0600 perms (root-only).

• GDPR Article 15 (subject access) self-serve: POST /gdpr/access
• GDPR Article 17 (erasure) self-serve: POST /gdpr/opt-out
• Soft-delete via redacted_at column on persons/shareholders/person_roles preserves audit trail
• PII tagging: column comments on persons table mark which fields contain PII
• Per-fact provenance: every fact carries source + confidence + fetched_at for audit
• Data hosting: Vultr Amsterdam (EU). No US transfer.

No disclosures yet. Researchers acknowledged here with permission once a report is resolved.

Nordic Data is not currently SOC 2 audited. We maintain a CONTROLS inventory aligned to the Trust Service Criteria (Security, Availability, Confidentiality). Audit engagement planned for Q3 2026 contingent on first enterprise customer requiring it. For early-access customers needing a Data Processing Agreement, see /legal/dpa. Existing customers: Sign in · Dashboard →