Compliance
Compliance
Version: 1.0 Effective date: April 18, 2026 Last updated: April 18, 2026
ɳSelf provides infrastructure primitives. It does not manage compliance for you. This page explains what we provide, what you own, and what we have explicitly ruled out.
Self-Hosted Deployments
If you run ɳSelf on your own servers, you are the data controller and compliance owner for your deployment. ɳSelf is infrastructure. You decide:
- Where the server runs and which jurisdiction governs
- What data your applications collect and process
- Whether you are subject to HIPAA, SOC 2, ISO 27001, PCI DSS, or any other framework
- How you satisfy your auditors
We provide the primitives below. Using them is your responsibility.
ɳCloud MAX Deployments
For customers on ɳCloud MAX (managed hosting), ɳSelf operates the infrastructure and maintains the security controls documented in this page. Our current compliance posture:
- SOC 2 Type II: Not yet certified. In preparation.
- ISO 27001: Not yet certified. In roadmap.
- HIPAA BAA: Not available at this time. ɳCloud MAX is NOT HIPAA-ready. Do not store Protected Health Information (PHI) on ɳCloud MAX until a BAA is signed and this page is updated. If you process PHI, use a self-hosted deployment under your own compliance program.
- PCI DSS: ɳCloud MAX is not in PCI scope for cardholder data. Payment processing is handled by Stripe (PCI DSS Level 1 certified). We do not store card numbers.
- GDPR: We process EU personal data under Standard Contractual Clauses. See our Privacy Policy and Data Processing Agreement.
If your compliance program requires a framework or certification not listed above, contact compliance@nself.org.
Compliance Primitives Provided
The following controls are available in all ɳSelf deployments (self-hosted and ɳCloud):
Encryption
- At rest: PostgreSQL data directory encrypted with LUKS2 on all ɳCloud volumes. For self-hosted, you control disk encryption.
- In transit: TLS 1.3 enforced on all external connections via Nginx. Internal service-to-service communication uses mTLS where supported.
- Database: Column-level encryption available for sensitive fields via the
pgcryptoextension. See the documentation for implementation guidance.
Access Control (RBAC)
- Role-Based Access Control is enforced at the Hasura GraphQL layer.
- PostgreSQL Row-Level Security (RLS) policies are applied to all user-data tables.
- Hasura roles are scoped per product, no cross-product data leakage by default.
- Admin access to the Hasura console and PostgreSQL is not exposed on external ports. Management is CLI-only (
nself admin,�P1� db).
Audit Logging
- All Hasura GraphQL mutations are logged with: timestamp, JWT user ID, operation name, and table affected.
- Auth events (login, logout, password reset, MFA enroll/unenroll) are logged with IP address and user agent.
- ɳSelf CLI admin commands (deploy, plugin install/uninstall, env set, db migrate) are logged with the invoking user and timestamp.
- Log retention: 90 days hot, 1 year cold. Configurable for self-hosted.
Multi-Factor Authentication (MFA)
- TOTP (time-based one-time password) is supported for all user accounts.
- MFA enforcement can be required at the organization level for ɳCloud accounts.
- Recovery codes are generated at enrollment and can be regenerated at any time.
Row-Level Security (RLS)
- PostgreSQL RLS policies are active on all multi-tenant tables.
- Each user can only read and write their own data by default.
- Admin-scoped policies are separate and require the Hasura admin role.
Network Isolation
- Services bind to
127.0.0.1by default. External access only via Nginx. - No database port or internal service port is exposed publicly.
- Firewall rules are managed by ɳSelf on ɳCloud deployments.
What We Do NOT Provide
- HIPAA Business Associate Agreement (BAA)
- SOC 2 Type II report (in preparation, not yet available)
- ISO 27001 certificate (in roadmap, not yet available)
- PCI DSS Level 1 Service Provider certification
- Formal penetration test report (available on request for Enterprise customers under NDA)
Sub-Processors
See our Sub-Processor List for all third-party services that process data on our behalf.
Contact
Compliance inquiries: compliance@nself.org
For Enterprise compliance packages (custom DPA, sub-processor exhibits, security questionnaires), contact sales@nself.org or see our ɳSelf+ tier.