Skip to content
nokumo
Security

Your guests' passports never leave the EU. Neither does anything else.

Azure Frankfurt and Amsterdam. AES-256 at rest. TLS 1.3 in transit. Annual penetration test by SEC-Consult. ePorezna and FURS on certificate-pinned government APIs. Here is exactly what that means in practice.

Start free trialBook a demo
See EU compliance

Microsoft Azure Infrastructure

Nokumo is hosted exclusively on Microsoft Azure in EU data centers. Your guest data never leaves EU jurisdiction.

  • EU data residency (Frankfurt / Amsterdam)
  • 99.9% uptime SLA
  • Automatic failover and disaster recovery
  • Azure DDoS protection

AES-256 Encryption

All data is encrypted at rest with AES-256 and in transit with TLS 1.3. Payment data is tokenised and never stored on Nokumo servers.

  • AES-256 encryption at rest
  • TLS 1.3 for all connections
  • Stripe tokenisation for payment data
  • No plaintext credentials stored

ISO 27001-Aligned

Our information security management follows ISO 27001 principles. We conduct annual security audits and penetration testing.

  • ISO 27001-aligned ISMS
  • Annual penetration testing
  • Vulnerability disclosure programme
  • Incident response under 4 hours

GDPR Compliance

Nokumo acts as a data processor under GDPR. A full Data Processing Agreement (DPA) is available for all customers.

  • Full DPA available on request
  • Data subject rights supported
  • Right to erasure implemented
  • Sub-processor list published

EU Regulatory Security

Croatian eVisitor, ePorezna, and FURS integrations use government-approved secure channels with certificate-pinned APIs.

  • ePorezna certificate-pinned API
  • FURS secure channel integration
  • eVisitor government API compliance
  • Fiscal log integrity guaranteed

Responsible Disclosure

Security researchers can report vulnerabilities via our responsible disclosure programme. We respond within 24 hours.

  • security@nokumo.net
  • PGP key available
  • Hall of fame for researchers
  • No legal action for good-faith disclosure

Certifications & compliance status

ISO 27001-Aligned
GDPR (EU) 2016/679
SOC 2 controls
PCI DSS via Stripe
CAIQ (on request)
Sub-processor list (published)

β€œWe need a completed CAIQ for our procurement process. Is that available?”

EC
Enterprise customers
Contact sales to request the completed CAIQ under NDA

Sub-processor list

Microsoft Azure β€” cloud infrastructure, EU-West regions
Stripe β€” payment processing, PCI DSS compliant
SendGrid β€” transactional email delivery
Full list available at nokumo.com/security

Need procurement documentation?

Data Processing Agreement (DPA) β€” available on request
Sub-processor list β€” published and updated quarterly
ISO 27001 evidence letter β€” available under NDA
Security questionnaire (CAIQ) β€” completed on request

CAIQ Short-Form Summary

Do you encrypt data at rest?

Yes β€” AES-256 for all production databases. Keys managed by Azure Key Vault.

Do you support MFA?

Yes β€” MFA enforced for all administrator accounts. Available for all staff accounts.

Where is data stored?

Microsoft Azure West Europe (Netherlands) and North Europe (Ireland). No data outside EU.

Annual penetration testing?

Yes β€” independent third-party firm. Reports available to enterprise customers under NDA.

Security FAQ

Ready to go live in 1 week?

Join hundreds of hospitality operators across our core markets. 14-day free trial. No credit card required.

Start free trialBook a demo

No credit card required Β· Live in 1 week Β· EU compliance included