Skip to main content

Privacy Policy

Last updated: March 2026

1. Data Controller

NIS2Certify ("we", "us", "our") is responsible for processing personal data as described in this privacy policy, in accordance with the General Data Protection Regulation (GDPR / EU Regulation 2016/679). You can reach us at privacy@nis2certify.org.

NIS2Certify
Doddegras 7, 3994NL Houten
KVK: 76172872

2. What Data We Process

We process the following categories of personal data:

  • Account details: name, email address, password (encrypted), organisation name
  • Organisation details: company name, KVK number, VAT number, address, sector, number of employees
  • Assessment data: answers to NIS2 compliance questions, scores, compliance levels
  • Payment details: billing address, subscription type (payment details are processed by Stripe)
  • Usage data: IP address, browser type, page visits, time of access

3. Purposes of Processing

  • Creating and managing your account
  • Carrying out NIS2 compliance assessments and generating reports
  • Processing payments and managing subscriptions
  • Sending service-related emails (invitations, reports, password resets)
  • Improving our service and resolving technical issues
  • Complying with legal obligations

4. Legal Basis

We process your data on the basis of:

  • Performance of the contract: for the provision of our services
  • Legitimate interest: for improving our service and security
  • Legal obligation: for tax and administrative obligations
  • Consent: for marketing communications (where applicable)

5. Processors and Third Parties

We use the following processors:

  • Supabase (US/EU): database hosting and authentication
  • Stripe (US/EU): payment processing and subscription management
  • Resend (US): sending transactional emails
  • Vercel/Hosting provider: hosting of the web application
  • Google Analytics (US/EU): website statistics and usage analysis (only with your consent)

We have entered into data processing agreements with all of our processors in accordance with the GDPR.

6. Retention Periods

  • Account details: until the account is deleted
  • Assessment data and reports: until the account is deleted or up to 2 years after last use
  • Payment details: 7 years after the invoice date (statutory retention obligation)
  • Log files: a maximum of 90 days

7. Your Rights

Under the GDPR you have the following rights:

  • Right of access: you can request which data we process about you
  • Right to rectification: you can have inaccurate data corrected
  • Right to erasure: you can request that your data be deleted
  • Right to restriction: you can request that processing be restricted
  • Right to data portability: you can receive your data in a commonly used format
  • Right to object: you can object to certain processing activities

You can exercise your rights by contacting us at privacy@nis2certify.org. We will respond to your request within 30 days.

8. Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss or misuse. This includes, among other things, encryption of data in transit and at rest, role-based access control, and regular security audits.

9. Cookies

We use strictly necessary cookies for the functioning of the application, and analytics cookies (Google Analytics) that are only placed after your explicit consent via the cookie banner.

CookiePurposeTypeRetention period
sb-*-auth-tokenAuthentication and session management (Supabase)Strictly necessarySession / until logout
admin_impersonatingAdmin impersonation tracking (administrators only)Functional4 hours

Read our full cookie policy for more information about how we use cookies and how you can manage them.

10. Complaints

If you have a complaint about the processing of your personal data, you can contact us at privacy@nis2certify.org. You also have the right to lodge a complaint with a supervisory authority. For the Netherlands, this is the Dutch Data Protection Authority (autoriteitpersoonsgegevens.nl). If you are established in another EU member state, you can also lodge a complaint with the supervisory authority in your own country.