Setup

By NexCyber Support

• 8 articles

Add your first regulated product

💡 🔧 Setup — Create a "product" in NexCyber to scope your assessments to a specific offering — software, device, AI system, or financial service. Add your first regulated product In NexCyber, a product is the unit you assess and track for compliance. It can be a piece of software, a connected device, an AI system, a financial service — anything you place on the EU market or operate within scope of EU cybersecurity regulation. You can run NexCyber at company level (one assessment covers everything) or at product level (one assessment per offering). For most companies with more than one offering, product-level scoping gives you cleaner results and stronger Trust Passports. When to create a product Create a product if any of these are true: - You sell or distribute more than one offering with different risk profiles. - One of your offerings is subject to a regulation the others aren't (e.g. only one product has connected components subject to CRA). - You want to issue separate Trust Passports for different products to share with different customers. - You operate under multiple legal entities and need to keep their scopes separated. If you have a single product or service, you can skip this step — NexCyber automatically creates a default scope at company level. How to add a product 1. Go to /products in the main navigation. 2. Click "+ New product". 3. Fill in the product profile: - Name — exactly as it appears on your marketing or packaging. - Type — Software · Device · AI system · Financial service · Other. - Description — one or two sentences describing what it does. - Operating regions — pick the EU member states (or "EU-wide") where it's available. - Customer types — B2B · B2C · Public sector. 4. Click "Create product". The product appears in your list. You can now run regulation-specific assessments scoped to this product. Editing later Every field is editable. Changes take effect on your next assessment — existing assessments keep the scope they were created with, so your audit trail stays consistent. Plan limits | Plan | Max products | |---|---| | Free | 1 | | Starter | 1 | | Launch | 1 | | Portfolio | unlimited | | Command | unlimited | | Strategic | unlimited | If you hit your plan's limit, you'll be prompted to upgrade. What's next Once your first product is set up, you can: - Run an assessment scoped to it — see "Run your first compliance assessment". - Add evidence specific to this product — policies, certificates, SBOMs. - Issue a product-specific Trust Passport. → See "Manage products and scopes" 💬 Need help? - Reach out via our live chat (bottom-right) — Captain AI replies instantly, human experts within business hours. - Email support@nexcyber.eu with [P1] for Command/Strategic priority issues. ℹ️ Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification. Last reviewed: 2026-06-02 · NexCyber Help Center

Last updated on Jun 02, 2026

Manage products and scopes

💡 Organise products into scopes, archive deprecated offerings, and keep your compliance surface area clear. Manage products and scopes As your compliance work scales, you'll often have several products at different lifecycle stages — some in design, some shipping, some end-of-life. NexCyber lets you organise them clearly so your dashboard shows what matters now without losing your audit history. The lifecycle of a product in NexCyber Every product moves through three states: Draft You've created the product but haven't run any assessment yet. Drafts are private to your team and don't appear on any Trust Passport. Active A product becomes Active as soon as you complete its first assessment. Active products show up on your dashboard, in your Workspace, and can issue Trust Passports. Archived When a product is end-of-life, withdrawn from the market, or no longer relevant, archive it. Archived products are hidden from your dashboard but their assessments and Trust Passports remain verifiable forever — auditors can still validate Passports issued in the past, which preserves your historic claims. How to change a product's state 1. Go to /products. 2. Click the product row. 3. Click "Change state" in the top-right. 4. Pick the new state. Archiving asks for confirmation; reactivating a product is a one-click action. Organising with tags You can tag products with anything that helps you slice your portfolio: - Stage — pre-launch, ga, eol - Business unit — bu-iot, bu-saas, bu-financial - Customer segment — enterprise, smb, public-sector - Region — eu-only, eu-uk, global Tags are free-form. You'll find products by tag from any list view. Cloning a product If you're launching a variant of an existing product (a different region, a different customer segment), clone it rather than re-creating from scratch: 1. Open the source product. 2. Click "Clone" in the top-right. 3. The clone copies the profile, attached evidence references, and obligation answers, with a "(copy)" suffix on the name. 4. Edit what's different — region, scope, name — and save. Cloning saves significant work when one product is 80% the same as another for compliance purposes. Bulk actions On the Portfolio plan and above, you can select multiple products and: - Re-tag them in bulk. - Re-run assessments across the selection after a regulation update. - Generate a portfolio-wide Trust Passport that aggregates several products into one shareable artefact. Limits and capacity If you're approaching the limit for your plan, the products list shows a counter ("8 of 10 used"). Upgrade from the Subscription page when you need headroom. → See "Build your evidence library" 💬 Need help? - Reach out via our live chat (bottom-right) — Captain AI replies instantly, human experts within business hours. - Email support@nexcyber.eu with [P1] for Command/Strategic priority issues. ℹ️ Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification. Last reviewed: 2026-06-02 · NexCyber Help Center

Last updated on Jun 02, 2026

Build your evidence library

💡 🔧 Setup — Upload policies, certificates, SBOMs and incident reports to NexCyber's evidence library — the foundation of audit-ready compliance. Build your evidence library Self-assessed scores are a starting point. Evidence-backed scores are what turn a NexCyber report into an audit-ready artefact. The Evidence Library is where you upload, tag, and link the documents that prove each compliance claim. Evidence is available from the Launch plan onwards (with light mode on Starter). What counts as evidence Anything that proves you do what you say you do, in writing: - Policies — information security, data retention, vulnerability disclosure, incident response. - Certificates — ISO 27001, SOC 2, ISO 9001, sector-specific (EN 18031 for RED). - Technical artefacts — SBOMs, penetration test reports, threat models, architecture diagrams. - Process records — change management logs, training records, supplier due diligence. - External attestations — letters from auditors, customer reference documents. How to upload 1. Go to /evidence. 2. Click "+ Upload" or drag-and-drop directly onto the page. 3. For each file you upload, NexCyber asks you to tag: - Type (Policy · Certificate · Report · Process record · Other) - Regulation(s) it supports (CRA · NIS2 · AI Act · DORA · RED, multi-select) - Validity start and validity end dates - Owner (the teammate accountable for keeping it current) 4. Click "Save". Uploads run on EU-hosted storage and are encrypted at rest. Linking evidence to obligations This is where the magic happens. After uploading, link each evidence item to one or more obligations in your assessments: 1. Open an assessment. 2. Click an obligation marked "Partial" or "Gap". 3. Click "Attach evidence" and pick from your library. 4. NexCyber re-scores the obligation. If your evidence covers the obligation in full, it moves to "Covered" automatically. One evidence document often covers several obligations across multiple regulations — a single vulnerability disclosure policy can satisfy CRA Art. 13, NIS2 Art. 21(2)(j), and DORA Art. 17 simultaneously. Linking it once propagates the coverage everywhere. Recommended naming convention Consistent naming makes auditor review dramatically faster. We recommend: [year]-[type]-[product]-[short-description]-v[version].[ext] Examples: - 2026-policy-acme-iot-vulnerability-disclosure-v2.pdf - 2026-sbom-acme-saas-v4.2-spdx.json - 2026-cert-acme-corp-iso27001-2025-renewal.pdf NexCyber doesn't enforce a naming scheme — pick what works for your team and stay consistent. Validity tracking Every evidence item has a validity window. NexCyber warns you when: - An item is within 60 days of expiry (banner on the Evidence page). - An item is expired but still attached to obligations (the affected obligations are flagged Partial or Gap). - An item's referenced regulation has been updated since the document was issued. This means your compliance posture automatically decays as policies age — which is exactly what you want, because real compliance does the same. Bulk operations Select multiple evidence items to: - Re-tag in bulk. - Reassign owners. - Archive when superseded. - Download a ZIP of the selection for offline review. Storage limits Storage is generous on all paid plans. Free has 5 evidence items visible. Starter has 20. From Launch onwards, the practical limit is the file count per product — usually no constraint for typical compliance libraries. If you have unusually large files (large penetration test reports, video walkthroughs, etc.) contact us via the chat and we'll help. → See "Map existing compliance work to NexCyber obligations" 💬 Need help? - Reach out via our live chat (bottom-right) — Captain AI replies instantly, human experts within business hours. - Email support@nexcyber.eu with [P1] for Command/Strategic priority issues. ℹ️ Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification. Last reviewed: 2026-06-02 · NexCyber Help Center

Last updated on Jun 02, 2026

Map existing compliance work to NexCyber obligations

💡 🔧 Setup — Reuse the ISO 27001, SOC 2, NIST CSF and internal compliance work you've already done — NexCyber maps it to your EU regulatory obligations. Map existing compliance work to NexCyber obligations You probably haven't started from zero. Most companies arriving at NexCyber already have some compliance estate — ISO 27001 or SOC 2 work, sector-specific certifications, internal policies, audit reports. NexCyber doesn't want you to redo any of it. Instead, it maps what you have to what EU regulations require, so each existing artefact gets the maximum re-use. This article shows you how to bring that work in. What can you map? NexCyber natively understands the most common compliance frameworks: - ISO/IEC 27001 (Annex A controls) → CRA Annex I, NIS2 Art. 21, DORA Art. 9 - ISO/IEC 27017 and 27018 (cloud-specific) → DORA, NIS2 for cloud-native services - SOC 2 (Trust Services Criteria) → NIS2 Art. 21 risk management measures - NIST CSF / NIST 800-53 → CRA Annex I, NIS2 Art. 21 - EN 18031-1/-2/-3 (harmonised standards under RED) → RED cyber requirements - PCI DSS → DORA ICT risk + NIS2 for payment services - Internal control catalogues — any documented control with a description. How to import a control catalogue 1. Go to /evidence → Import. 2. Pick the format: - ISO 27001 controls — upload a statement of applicability (SoA) Excel/CSV. - SOC 2 controls — upload your SOC 2 Type II report (PDF) or controls Excel. - NIST CSF — pick the version (1.1 / 2.0) and upload your tier matrix. - Custom — upload a CSV with one row per control: id, title, description, status, evidence_ref. 3. NexCyber parses the file and asks you to confirm each row. 4. After confirmation, each control becomes a mapped evidence item in your library, automatically linked to the NexCyber obligations it covers. This is typically the biggest single time-saver for companies with a mature compliance estate. A SOC 2 Type II import can close 40–60% of NIS2 Art. 21 obligations on import alone. Mapping logic — what to expect NexCyber uses published regulatory crosswalks (ENISA NIS2 mapping, ETSI EN 18031 mapping, ISO 27001:2022 to NIS2 mapping) as the basis for each link. We never invent mappings. For each control you import: - Direct mapping — the control is a 1:1 match for one or more obligations. Auto-linked, marked "Covered" if the control is implemented. - Partial mapping — the control covers part of an obligation. Auto-linked, marked "Partial" with a note explaining the residual gap. - No mapping — the control isn't relevant to your selected regulations. Stays in your evidence library but doesn't auto-link anywhere. You can override any auto-mapping. NexCyber records who overrode what and why, for audit trail purposes. What about company-specific frameworks? If you have an internal control framework that doesn't match any of the supported standards, you have two options: 1. Map manually — for each obligation in an assessment, attach the matching internal policy or document. 2. Request a custom mapping — Strategic plan customers can request a one-time custom crosswalk between their internal framework and NexCyber's obligation library. Contact us via the chat. Re-using evidence across regulations The same evidence item can link to obligations across multiple regulations. For example, a single document — "Acme Vulnerability Management Policy v3" — can satisfy: - CRA Annex I § 2 (vulnerability handling) - NIS2 Art. 21(2)(b) (incident handling) and 21(2)(e) (security in network and information systems) - DORA Art. 17 (ICT-related incident management process) - EN 18031 under RED for connected products Link it once; coverage propagates everywhere. Audit trail Every mapping, override, and re-use is recorded. When an auditor asks "how do you justify that this policy closes CRA Annex I § 2 and NIS2 Art. 21(2)(b)?", you can show them the underlying crosswalk (published, sourced from ENISA / ETSI) plus your evidence — no hand-waving. → See "Build your evidence library" 💬 Need help? - Reach out via our live chat (bottom-right) — Captain AI replies instantly, human experts within business hours. - Email support@nexcyber.eu with [P1] for Command/Strategic priority issues. ℹ️ Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification. Last reviewed: 2026-06-02 · NexCyber Help Center

Last updated on Jun 02, 2026

Configure billing and payment method

💡 🔧 Setup — Set up your billing address, payment method (card or SEPA), VAT details, and invoice recipients in NexCyber. Configure billing and payment method NexCyber bills annually by default. This article walks you through setting up payment, VAT, and invoice routing — everything you need before your first paid renewal. What you'll set up - A billing address (used on every invoice) - A payment method (card or SEPA Direct Debit) - Your VAT number (if you have one) - An invoice email recipient (often a finance team alias) Where to find it Go to /subscription (Settings → Subscription) and click the "Billing" tab. Billing address The billing address appears on every invoice and is used for VAT computation. 1. Click "Edit billing address". 2. Fill in: - Legal company name (must match incorporation documents) - Country (drives VAT treatment) - Street, city, postal code - VAT number (optional but recommended — EU intracommunity VAT rules apply when valid) 3. Click "Save". If your billing address differs from your company profile (e.g. a parent entity handles billing), use the billing address here — NexCyber will reflect it on every invoice without changing your operational profile. Payment methods NexCyber supports two payment methods for EU customers: Card (Visa, Mastercard, American Express) - Charged automatically on renewal. - 3-D Secure / Strong Customer Authentication (SCA) required for first charge. - Receipts and invoices arrive by email immediately after charge. SEPA Direct Debit (EU IBAN) - Available for EU-based companies with a SEPA-compatible bank account. - Authorisation mandate signed online, no paperwork. - Charged 5 days after invoice issuance. - Lower fees on our side, no impact on your invoice amount. Setting up 1. Click "Add payment method". 2. Pick Card or SEPA. 3. Enter the details on the secure payment form. We never see your full card number or bank credentials — payments are handled by a licensed EU payment processor and tokenised on their side. 4. Click "Confirm". If you have multiple payment methods on file, you can mark one as default for renewals. VAT and tax handling For EU customers: - Same country as us — VAT charged at the local rate (currently France, TVA 20%). - EU intracommunity, valid VAT number — reverse charge applied (no VAT on invoice, you self-assess). - EU intracommunity, no VAT number — VAT charged at your country's rate (OSS regime). - Outside EU — no EU VAT charged. You can update your VAT number anytime; the next invoice issued reflects the new treatment. Invoice recipients By default, invoices go to the account owner's email. If your finance team handles billing: 1. Go to /subscription → Billing → "Invoice recipients". 2. Add the email(s) that should receive every invoice. Multiple recipients supported. 3. Optionally, add a PO number that will appear on every invoice (useful for finance teams who require purchase orders). Renewals and cancellations - Annual renewal happens on the anniversary of your first paid month. You receive a reminder email 14 days before the charge. - Cancellation — go to /subscription → "Cancel plan". Cancellation is effective at the end of your current billing period; you keep access until then. - Downgrades also take effect at the end of the billing period — your data is preserved across plan changes. Receipts and invoice history The /subscription → Billing → "History" page shows every invoice and receipt with a one-click PDF download. Invoices are also archived for at least 10 years (EU accounting rules). Issues with billing For any billing question — disputed charge, refund request, change of legal entity, VAT clarification — open a chat or email contact@nexcyber.eu. We respond within 24 hours on business days. → See "Choose the right plan for you" 💬 Need help? - Reach out via our live chat (bottom-right) — Captain AI replies instantly, human experts within business hours. - Email support@nexcyber.eu with [P1] for Command/Strategic priority issues. ℹ️ Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification. Last reviewed: 2026-06-02 · NexCyber Help Center

Last updated on Jun 02, 2026

Data residency and EU hosting

💡 🔧 Setup — Where NexCyber stores your data, which sub-processors we use, and how to verify EU-only data residency. Data residency and EU hosting Every regulated company that signs up for NexCyber asks the same first question: where does my data live? Short answer: inside the European Union, end-to-end. This article gives you the long answer — what's stored where, what's accessible from where, and how to verify it. The promise in one sentence NexCyber is engineered so that customer data — your company profile, assessments, evidence, Trust Passports, audit logs — is stored, processed and backed up exclusively within the European Union. Where your data is stored | Type of data | Location | |---|---| | Application database | EU (Germany) | | Evidence files (policies, certificates, SBOMs) | EU (Germany) | | Backups | EU (Germany) | | Email traffic (transactional) | EU | | Application logs | EU | | Analytics (product usage) | EU (anonymised, EU-hosted analytics platform) | | Customer support conversations | EU | No customer data is processed, stored, or backed up outside the EU under our standard offering. Sub-processors NexCyber uses a small, audited set of EU-headquartered or EU-hosted sub-processors. The full, up-to-date list is published at /legal/sub-processors and includes: - The legal name and location of each sub-processor. - The data type they handle. - The relevant transfer mechanism (intra-EU; or, if exceptionally non-EU, SCCs + TIA). We notify customers 30 days before adding a new sub-processor, by email and in-app banner, so you can review and object if needed. Encryption - At rest — AES-256 on every storage layer (database, object storage, backups). - In transit — TLS 1.2 minimum, TLS 1.3 preferred. HTTPS everywhere with HSTS. - Backups — same encryption as primary storage, separate keys. - Evidence files — encrypted with per-tenant keys; key rotation procedures documented in our SOC 2 controls. Access control - All NexCyber employees with production access are EU residents. - Access is logged, audited, time-bounded (just-in-time elevation; default access is read-only metadata for support). - We follow the principle of least privilege — only the people who need access to a specific support case get temporary access for the duration of the case. - Customer-initiated access (e.g. asking us to help debug an assessment) is logged in your audit trail. How to verify EU residency You have several ways to verify our claims, beyond reading this page: 1. Public sub-processors list — nexcyber-eu.vercel.app/legal/sub-processors 2. DPA (Data Processing Agreement) — nexcyber-eu.vercel.app/legal/dpa 3. Trust & Security page — nexcyber-eu.vercel.app/trust-security 4. Audit reports — SOC 2 Type II report available under NDA from Portfolio plan onwards. 5. Customer due diligence questionnaire — we maintain a standardised response file (CSA CAIQ, SIG Lite, custom) — request via chat. What about cross-border transfers? We don't transfer customer data outside the EU under our standard offering. If you operate globally and have a legitimate need for non-EU access (for example, a US-based team member viewing aggregated dashboards), reach out — we'll discuss the right transfer mechanism (SCCs, TIA, adequacy decisions for UK/Swiss residents) and document it in your DPA. Data residency on specific plans - All plans — EU-only storage and processing. - Portfolio and above — option to request data residency report for any quarter (audit-ready evidence of EU-only operations). - Strategic — dedicated data residency review during quarterly business reviews. Privacy questions For any privacy or data residency question — including data subject access requests under GDPR — write to contact@nexcyber.eu or use the chat. We respond within 24 hours on business days, and within the GDPR-mandated 1-month window for formal data subject requests. → See our Privacy Policy and Trust & Security page for the full picture. 💬 Need help? - Reach out via our live chat (bottom-right) — Captain AI replies instantly, human experts within business hours. - Email support@nexcyber.eu with [P1] for Command/Strategic priority issues. ℹ️ Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification. Last reviewed: 2026-06-02 · NexCyber Help Center

Last updated on Jun 02, 2026

Calendar and deadline tracking

💡 🔧 Setup — Sync your regulatory deadlines to your calendar — Google, Outlook, iCal — so you never miss an enforcement date. Calendar and deadline tracking EU regulations come with firm enforcement dates. Miss them and your maximum exposure is no longer theoretical. NexCyber tracks every deadline relevant to your company and lets you push them straight into your team's calendar so nothing slips. The deadlines NexCyber tracks For each regulation that applies to you, NexCyber tracks: - Primary enforcement date — the date the regulation becomes fully binding. - Sub-deadlines — implementation acts, RTSs, transposition deadlines, sectoral milestones. - Member state transposition dates — when each EU country adopts the local implementation. - Your own re-assessment deadlines — based on Trust Passport validity (6 or 12 months). - Evidence expiry dates — when uploaded certificates or policies need renewal. Each deadline appears on your dashboard's Timeline widget with days remaining and the obligation list still in Partial / Gap status. Calendar integration (subscribe URL) The fastest way to bring NexCyber deadlines into your day-to-day is via a calendar subscription. NexCyber publishes a personalised ICS feed that any modern calendar (Google, Outlook, Apple, Fastmail, Proton) can subscribe to. How to get your ICS URL 1. Go to /profile/notifications. 2. Scroll to "Calendar feed". 3. Click "Generate ICS URL". NexCyber creates a unique, private URL that only you can use. 4. Copy the URL. The URL is private — anyone with it can read your deadlines, so treat it like a password. You can regenerate it at any time, which immediately invalidates the old one. Subscribing in Google Calendar 1. Open Google Calendar in your browser. 2. In the left sidebar, find "Other calendars" and click +. 3. Pick "From URL". 4. Paste your ICS URL and click "Add calendar". 5. The NexCyber deadlines appear within an hour and refresh every few hours automatically. Subscribing in Outlook (web or desktop) 1. In Outlook, go to Calendar → Add calendar → Subscribe from web. 2. Paste your ICS URL. 3. Name it "NexCyber Deadlines" and pick a colour. 4. Click "Import". Subscribing in Apple Calendar (macOS / iOS) - macOS — File → New Calendar Subscription → paste URL → "Subscribe". - iOS — Settings → Calendar → Accounts → Add Account → Other → Add Subscribed Calendar → paste URL. What appears in your calendar Each event includes: - The deadline name (e.g. "CRA full enforcement"). - The regulation it relates to. - A short description of what's at stake. - A link back to NexCyber so you can jump straight to the relevant Workspace action. Reminder strategy We recommend pairing calendar subscription with NexCyber's email reminders (configurable in your notification preferences at /profile/notifications). The two systems complement each other: - Calendar = visual awareness across your whole quarter. - Email = active reminder triggered at 90, 60, 30, 14, 7, and 1 day before each deadline. Most teams find calendar + email reminders enough. We deliberately don't push you Slack or SMS notifications — they tend to add noise without adding signal for compliance timelines. Team-wide calendars Each teammate generates their own ICS URL — there's no shared NexCyber calendar by default, because each member sees the deadlines that apply to their assigned actions. If you want a single team-wide deadline calendar (everyone sees everything), one workflow that works well: 1. Create a shared mailbox (e.g. compliance@yourcompany.com). 2. Generate the ICS URL from that mailbox's NexCyber account (it needs at least Member role). 3. Subscribe everyone to that calendar in Google / Outlook. Deadlines after re-assessment When you re-run an assessment and your Trust Passport validity is extended, the calendar feed automatically updates to push out the re-assessment deadline. No manual intervention needed. → See "Understand your Trust Passport" 💬 Need help? - Reach out via our live chat (bottom-right) — Captain AI replies instantly, human experts within business hours. - Email support@nexcyber.eu with [P1] for Command/Strategic priority issues. ℹ️ Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification. Last reviewed: 2026-06-02 · NexCyber Help Center

Last updated on Jun 02, 2026

Audit log and activity trail

💡 🔧 Setup — How NexCyber records every action in your workspace — who did what, when, and why — for internal review and external audit. Audit log and activity trail For regulated companies, traceability is non-negotiable. NexCyber records every meaningful action in your workspace and surfaces it as a queryable, exportable audit log. This article explains what's logged, how to access it, and how to use it during audit. The Audit Log is available on the Portfolio plan and above. What's recorded NexCyber logs every action that changes state in your workspace: - Account events — user logins, role changes, invitations, removals. - Assessment events — assessment started, answer changed, assessment completed. - Evidence events — file uploaded, evidence linked to obligation, evidence archived. - Obligation events — status change (Gap → Partial → Covered), justification edited. - Trust Passport events — passport issued, passport revoked, passport shared. - Billing events — plan upgrade / downgrade, payment method change. - API events — every authenticated API call (on Command plan and above). For each event, the log captures: - Timestamp in UTC, millisecond precision. - Actor — which user, or which API token, or "system" for automated events. - Action verb (created, updated, deleted, linked, etc.). - Target — the resource that was changed. - Before / after snapshot for important changes (e.g. obligation status changes show the old and new value). - Source IP and user agent (truncated for privacy). How to access it Open Settings → Audit log to see the live feed. The page supports: - Free-text search — find an action by keyword. - Filter by user — show every action by a specific teammate. - Filter by action type — only show logins, only show passport events, etc. - Filter by date range — useful for scoped reviews. You can also click any event to see the full payload — including before / after snapshots for state changes. Retention | Plan | Retention | |---|---| | Portfolio | 90 days online + archive available on request | | Command | 12 months online + extended archive | | Strategic | 24 months online + extended archive | Beyond the online retention window, archived logs are available via support request within 5 business days. Exporting the audit log For external audit, you can export the log as: - CSV — one row per event, easy to load into Excel or your audit tooling. - NDJSON — one JSON object per line, machine-readable for downstream pipelines. - PDF report — a formatted, page-numbered, signed PDF suitable for audit binders. To export: 1. Open the Audit log view. 2. Apply the filters you want (typically a date range and optionally a specific user / action). 3. Click "Export" in the top-right. 4. Pick the format. 5. The export runs in the background and arrives by email when ready (usually under 60 seconds, longer for very large exports). Each export is itself logged — auditors can verify that the export they're holding is the one NexCyber generated. Using the audit log during external audit Typical scenarios where the audit log carries weight: "Show me who approved this obligation as Covered." Open the obligation, click "View history", and you'll see each status change with actor, timestamp, and justification text. Auditors can trust this because the log is append-only and tamper-evident (next section). "Prove evidence X was attached on this date." Search the log for the evidence ID or filename. The "evidence linked" event has the exact timestamp and the user who did it. "Show me access to sensitive data over the audit window." Filter by action type "login" and date range. Export to CSV for the auditor's records. Tamper-evidence Audit log entries are append-only. They cannot be edited or deleted by any user (not even account owners). Every entry is checksum-protected and ordered such that any tampering attempt would break the chain and be detectable. This isn't a marketing claim — it's part of how NexCyber's internal data model is structured, and it's documented in our SOC 2 report (available under NDA). Sensitive data in the log We never log: - Passwords, API keys, or other credentials. - Full file contents (only file metadata: name, size, hash, owner). - Personal data beyond the actor's email and the resources they accessed. If you're concerned about a specific category of data appearing in the log, contact us via the chat — we can walk through your specific compliance needs. → See "Data residency and EU hosting" 💬 Need help? - Reach out via our live chat (bottom-right) — Captain AI replies instantly, human experts within business hours. - Email support@nexcyber.eu with [P1] for Command/Strategic priority issues. ℹ️ Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification. Last reviewed: 2026-06-02 · NexCyber Help Center

Last updated on Jun 02, 2026