Your documents are secure with Nira

We take the security of your sensitive data seriously. Security is embedded into the culture at Nira and is an integral part of how we operate.

Compliance

Nira has achieved its SOC 2 Type 2 certification for three trust service criteria (Security, Availability, and Confidentiality) and is audited annually.

Nira has also attained its International Organization for Standardization’s (ISO) 27001 certification.

Please contact compliance@nira.com for Nira’s latest SOC 2 Type 2 report, SOC 3 report, or ISO 27001 certification.

For any customer that that will be providing Nira with data regulated by the United States Health Insurance Portability and Accountability Act (“HIPAA”), Nira has a Business Associate Agreement (BAA) that we will enter into with the customer.

We are GDPR compliant as a data processor, and a EU and UK Data Processing Addendum (DPA) is available for customers to sign. For more information, visit https://nira.com/gdpr-faq/ and https://nira.com/dpa/.

Infrastructure security

Nira hosts all data utilizing industry-leading US-based Amazon Web Services (AWS) facilities, which include 24/7 on-site physical security and camera surveillance. For additional details regarding AWS security, visit https://aws.amazon.com/security/.

Data submitted to Nira by authorized users is considered confidential. All data sent to or from Nira infrastructure is encrypted in transit using Transport Layer Security (TLS) v1.2. All data is encrypted at rest using military-grade AES-256 encryption. High risk data have multiple levels of encryption applied.

Nira infrastructure is continually monitored for security vulnerabilities and updates applied automatically.

Policies and procedures

The following policies are followed and enforced at Nira:

Acceptable Use Policy, Asset Management Policy, Backup Policy, Business Continuity Plan, Change Management Policy, Code of Conduct, Cryptography Policy, Data Classification Policy, Data Deletion Policy, Disaster Recovery Plan, Data Protection Policy, Expense and Gift Policy, HIPAA Breach Notification Policy, HIPAA Sanctions Policy, Hiring Policy, ISMS Plan, Network Security Standard, Password Policy, Physical Security Policy, Policy Management Policy, Responsible Disclosure Policy, Risk Assessment Program, SDLC Standard, Security Incident Response Plan, System Access Control Policy, Vendor Management Policy, Vulnerability Management Policy, and more.

These policies are followed by all Nira employees, who review and accept the policies a minimum of once per year.

Vendor management

Nira uses a number of third party applications and services to support the delivery of our products to our customers. Nira's Security team has established a vendor management program that sets forth the requirements for Nira to engage with third party service providers. For a complete list of Nira's third party service providers, visit https://nira.com/third-party-infrastructure/.

Training and awareness

Nira requires all employees and contractors to sign a confidentiality agreement prior to their start date.

During Nira's onboarding process, all new hires are required to complete a security awareness training. All employees and contractors continue to take a security awareness training annually.

Nira's engineering team gets additional training focused on design patterns and the technical aspects of Nira infrastructure security. As an added layer of diligence, every code change is evaluated from a security perspective.

Data protection

Access to customer data is limited to functions that have a business requirement to do so.

Employees are required to use a VPN to access AWS resources, and all servers and databases are inside of VPC with minimum access policies. Access to customer data requires authentication and authorization controls, including Multi-Factor Authentication (MFA). Nira has implemented controls to ensure the integrity and confidentiality of administrative credentials and access mechanisms.

Nira employees are given minimum access to customer data based on their responsibilities. All employee access to systems is logged and audited for security purposes.

Nira runs automated container and application security scans on a daily basis, and package dependency security advisory scans on a weekly basis. In addition, Nira undergoes penetration testing by a third party at least annually. We also maintain separate production and testing environments.

Every company that uses Google Workspace should be using Nira.
Bryan Wise
Bryan Wise,
CIO of GitLab

Incredible companies use Nira