EU-hosted GDPR-native Open-source agent RFC 9421

Security at nocert.io

We built nocert.io to secure your certificate infrastructure. That starts with securing our own. Our team includes offensive security professionals who design, test, and continuously evaluate every component.

Architecture

Zero-trust Sentinel communication

  • Sentinels are lightweight agents deployed on your private infrastructure to discover internal certificates
  • All communication is outbound-only — no inbound firewall rules or open ports required
  • HTTP request signing using RFC 9421 ensures message integrity and authenticity
  • No private infrastructure data leaves your network unless explicitly configured
Encryption

Encryption at every layer

  • TLS 1.2 minimum enforced on all connections in transit; TLS 1.3 preferred where supported by the client
  • AES-256-GCM encryption for sensitive fields at the application layer (MFA secrets, API tokens)
  • Argon2id password hashing with OWASP-recommended parameters
  • Agent communication secured via RFC 9421 HTTP Message Signatures
Data sovereignty

EU-only data processing

  • All application data stored and processed exclusively within the European Union
  • Infrastructure hosted on OVHcloud — French cloud provider, no US jurisdiction
  • Cloudflare provides edge protection (WAF, DDoS) without storing application data
  • No data transfers outside the EU — Stripe and Cloudflare operate under SCCs where applicable
Access control

Least-privilege by default

  • Role-based access control (RBAC) with configurable permissions per workspace
  • Single sign-on via OpenID Connect with any OIDC-compliant identity provider
  • Session-based authentication with secure, HttpOnly, SameSite=Strict cookies
  • Complete audit trail of all user actions, configuration changes, and alert deliveries
Sentinel security

Open-source, auditable Sentinels

  • Sentinel source code is open-source — audit every line before deploying to your network
  • Single statically-linked binary — no runtime dependencies, no supply chain risk
  • Sentinels run unprivileged — no root access required, minimal system permissions
  • Custom port and subnet configuration — scan only what you explicitly allow
Compliance

Framework-aligned security practices

  • Security practices informed by SOC 2 Type II principles (Trust Services Criteria); nocert is not SOC 2 certified
  • GDPR-native — built from day one for EU data protection requirements
  • Compliance scoring against PCI-DSS, ISO 27001, NIS2, and ANSSI frameworks
  • Exportable audit reports for your own compliance evidence needs

Vulnerability reporting

If you believe you've found a security vulnerability in nocert.io or our agent software, we want to hear about it. Please report it responsibly so we can investigate and address it.

Report a vulnerability