Trust & Security at ɳSelf
Last updated: April 23, 2026
ɳSelf is self-hosted infrastructure. You own your data and your stack. This page documents our own security posture for nself.org cloud services.
Compliance Status
Badges reflect current certification state, not aspirational goals.
| Framework | Status | Notes |
|---|---|---|
| SOC 2 Type I | In Progress | Target: Q4 2026 |
| SOC 2 Type II | Planned | Target: 2027 |
| ISO 27001 | Not pursuing | — |
| GDPR | Compliant | — |
| CCPA | Compliant | — |
| HIPAA | Not applicable | Self-hosted users manage their own HIPAA posture |
EU AI Act: ɳSelf does not make autonomous decisions — not in scope for EU AI Act obligations.
Sub-Processors
Required under GDPR Art. 28. Updated when processors are added or changed. SCC = Standard Contractual Clauses covering EU to US data transfers under GDPR Art. 46.
| Processor | Purpose | Location | DPA |
|---|---|---|---|
| Hetzner (FSN1) | Compute and storage for nself.org cloud services | Germany (EU) | DPA |
| Vercel | Frontend CDN and edge functions | USA (SCCs)SCC | DPA |
| Cloudflare | DNS, WAF, CDN, and DDoS protection | USA (SCCs)SCC | DPA |
| Stripe | Payment processing and subscription billing | USA (SCCs)SCC | DPA |
| Elastic Email | Transactional and marketing email delivery | USA + EUSCC | DPA |
| GitHub | Source code hosting and CI/CD pipelines | USA (SCCs)SCC | DPA |
Service Level Agreement
nself.org cloud tier only
- Uptime target: 99.5% monthly
- Incident response: <4 h critical, <24 h major
- Planned maintenance: 2 h window, 72 h notice
- Status page: status.nself.org
Self-hosted deployments: no SLA. Your infrastructure, your uptime.
Security Controls
Quick reference. Full security policy covers responsible disclosure, CVEs, and safe harbor.
- TLS 1.3 enforced on all nself.org endpoints
- HSTS preload enabled
- WAF (Cloudflare) active on all subdomains
- DDoS protection: Cloudflare Pro
- Secret scanning: GitHub Advanced Security on all private repos
- Dependency audit: automated weekly Dependabot
- Penetration testing: annual (last: TBD — scheduled Q3 2026)
- SBOM (CycloneDX, cosign-signed) attached to every GitHub release from v1.0.9
Privacy Controls
Data retention
Cloud accounts: active data retained while account is active. Deleted account data purged within 30 days.
Data portability
Self-hosted: nself export CLI command. Cloud: export via cloud.nself.org/export.
Right to erasure (GDPR Art. 17 / CCPA)
Submit a deletion request at nself.org/privacy/delete. Processed within 30 days.
CCPA — California Consumer Rights
California residents may request disclosure of personal information categories collected, opt out of sale (we do not sell data), and request deletion. Use the erasure link above or email privacy@nself.org.
Data Processing Agreement (DPA)
Available on request for customers acting as data controllers under GDPR Art. 28. Email legal@nself.org.
Cookie policy
Contact
- Security disclosures: security@nself.org (PGP key on /security)
- Privacy requests: privacy@nself.org
- Legal / DPA requests: legal@nself.org