Finland First Stepssecurity@newtofin.fi
Security and data protection

How we protect your workers' data

NTF handles sensitive immigrant onboarding data, passport numbers, henkilötunnus, residence permits, and medical authority registrations. This page lists exactly what we do to keep it safe, and what we do not yet do.

What is in place today

EU hosted

All application and database servers in the EU. Database region: Frankfurt (Neon PostgreSQL). No data leaves the EU during normal operation.

Encrypted in transit

HTTPS with HSTS enforced across the whole domain. HTTP requests are redirected. TLS 1.2+ only.

Encrypted at rest

Database, backups, and environment secrets encrypted at rest by the underlying providers (Neon, Vercel).

Strong password hashing

Bcrypt with 12 rounds. Passwords are never stored in plaintext and cannot be recovered, only reset.

CSRF and rate limiting

Every mutation request verifies origin. Auth endpoints are rate limited to 5 requests per minute per IP, general API to 60.

Email verification

Every new account must verify their email before login. Verification tokens are single use and stored hashed.

Security headers

Content Security Policy, X-Frame-Options DENY, X-Content-Type-Options nosniff, Permissions-Policy, Referrer-Policy strict-origin.

GDPR rights endpoints

In-app buttons let every user export all their data as JSON, or delete their account permanently. Organisation admins can export worker data as CSV.

Sub-processors

We use the following third-party processors. Each handles a specific part of the service and is bound by a data processing agreement that matches our commitments.

ProviderPurposeRegion
Vercel Application hosting, CDNEU
Neon PostgreSQL databaseEU Frankfurt
Resend Transactional emailEU
Anthropic AI onboarding coach, contract draft, HR actionsUS (EU data residency option)
DeepL Content translationEU Germany
Google Machine translation for languages DeepL does not supportUS

Any change to this list is reflected here within 7 days and on our status page.

What is not in place yet

We are a small EU SaaS being honest about where we are. Here is what is on the roadmap, with expected timing.

  • Two-factor authentication for organisation admins

    Q2 2026

  • Organisation audit log visible to admins

    Q2 2026

  • SSO via Azure AD and Google Workspace, for Enterprise plan

    Q3 2026

  • Formal SOC 2 Type I attestation

    After 5 paying B2B customers

  • Formal penetration test by external security firm

    Before first SOC 2 audit

Found a vulnerability?

If you believe you have found a security issue with newtofin.fi, please email security@newtofin.fi with details. Do not include exploitation details on public channels while the issue is unpatched.

We aim to acknowledge reports within 2 business days, confirm or reject the issue within 7 business days, and coordinate on a fix timeline after that. Good-faith research following responsible disclosure is welcome.

Machine-readable disclosure policy: security.txt

Data processing agreement (DPA)

Organisations on any paid plan can request a signed DPA. The template covers GDPR Art. 28 processor duties, sub-processors, data categories, retention, and breach notification. Typical turnaround is 1 to 2 business days.

Request DPA

What you can do as a user

  • Use a unique password of at least 12 characters. Avoid reusing passwords from other sites.
  • Change your password immediately if you suspect it has been exposed. In profile settings.
  • Sign out on shared computers when you are done.
  • Check links in emails claiming to be from NTF: only trust links ending in newtofin.fi or resend.dev.
  • Contact support@newtofin.fi if you see something unusual on your account.