💡 🔧 Setup — Where NexCyber stores your data, which sub-processors we use, and how to verify EU-only data residency.

Data residency and EU hosting

Every regulated company that signs up for NexCyber asks the same first question: where does my data live? Short answer: inside the European Union, end-to-end. This article gives you the long answer — what's stored where, what's accessible from where, and how to verify it.

The promise in one sentence

NexCyber is engineered so that customer data — your company profile, assessments, evidence, Trust Passports, audit logs — is stored, processed and backed up exclusively within the European Union.

Where your data is stored

No customer data is processed, stored, or backed up outside the EU under our standard offering.

Sub-processors

NexCyber uses a small, audited set of EU-headquartered or EU-hosted sub-processors. The full, up-to-date list is published at /legal/sub-processors and includes:

• The legal name and location of each sub-processor.
• The data type they handle.
• The relevant transfer mechanism (intra-EU; or, if exceptionally non-EU, SCCs + TIA).

We notify customers 30 days before adding a new sub-processor, by email and in-app banner, so you can review and object if needed.

Encryption

• At rest — AES-256 on every storage layer (database, object storage, backups).
• In transit — TLS 1.2 minimum, TLS 1.3 preferred. HTTPS everywhere with HSTS.
• Backups — same encryption as primary storage, separate keys.
• Evidence files — encrypted with per-tenant keys; key rotation procedures documented in our SOC 2 controls.

Access control

• All NexCyber employees with production access are EU residents.
• Access is logged, audited, time-bounded (just-in-time elevation; default access is read-only metadata for support).
• We follow the principle of least privilege — only the people who need access to a specific support case get temporary access for the duration of the case.
• Customer-initiated access (e.g. asking us to help debug an assessment) is logged in your audit trail.

How to verify EU residency

You have several ways to verify our claims, beyond reading this page:

1. Public sub-processors list — nexcyber-eu.vercel.app/legal/sub-processors
2. DPA (Data Processing Agreement) — nexcyber-eu.vercel.app/legal/dpa
3. Trust & Security page — nexcyber-eu.vercel.app/trust-security
4. Audit reports — SOC 2 Type II report available under NDA from Portfolio plan onwards.
5. Customer due diligence questionnaire — we maintain a standardised response file (CSA CAIQ, SIG Lite, custom) — request via chat.

What about cross-border transfers?

We don't transfer customer data outside the EU under our standard offering. If you operate globally and have a legitimate need for non-EU access (for example, a US-based team member viewing aggregated dashboards), reach out — we'll discuss the right transfer mechanism (SCCs, TIA, adequacy decisions for UK/Swiss residents) and document it in your DPA.

Data residency on specific plans

• All plans — EU-only storage and processing.
• Portfolio and above — option to request data residency report for any quarter (audit-ready evidence of EU-only operations).
• Strategic — dedicated data residency review during quarterly business reviews.

Privacy questions

For any privacy or data residency question — including data subject access requests under GDPR — write to contact@nexcyber.eu or use the chat. We respond within 24 hours on business days, and within the GDPR-mandated 1-month window for formal data subject requests.

→ See our Privacy Policy and Trust & Security page for the full picture.

💬 Need help?

• Reach out via our live chat (bottom-right) — Captain AI replies instantly, human experts within business hours.
• Email support@nexcyber.eu with [P1] for Command/Strategic priority issues.

ℹ️ Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification.

Last reviewed: 2026-06-02 · NexCyber Help Center