Compliance & Trust

Annual audit covering security, availability, and confidentiality trust service criteria.

• Independent third-party audit
• Covers security, availability, and confidentiality
• Continuous monitoring and evidence collection
• Report available under NDA for Enterprise customers

Full compliance with the General Data Protection Regulation for EU/EEA data subjects.

• Data Processing Agreement (DPA) available
• Standard Contractual Clauses (SCCs) for international transfers
• Data subject rights: access, erasure, portability, restriction
• Data Protection Officer appointed
• Configurable data retention and logging policies
• EU data residency options available (Enterprise)

Business Associate Agreement (BAA) available for healthcare organizations on Enterprise plan.

• BAA available for Enterprise customers
• PHI-aware guardrails (PII/PHI redaction via Presidio)
• Audit logging for all data access
• Encryption in transit and at rest

Payment card data handled entirely by Stripe — no card numbers touch our servers.

• Stripe handles all PCI-scoped data
• No payment card numbers stored or processed by NemoRouter
• Stripe tokenization for all payment flows