Privacy Policy
How Expert Allies LTD collects, uses, and protects personal data when you use Nisium at nisium.com.
Last updated: June 2, 2026 · Version 1.0
Expert Allies LTD ("we", "us", "our") operates Nisium, a NIS2 compliance platform available at nisium.com (the Site) and related hosted services (the Service). This Privacy Policy explains how we process personal data when you use the Site or Service.
For a summary of your GDPR rights, see our GDPR information page. For cookies and similar technologies, see our Cookie Policy.
1. Who is responsible for your data?
Data controller for account, billing, and website operations:
Expert Allies LTD 96 Tsarigradsko Shose blvd., floor 7, Sofia 1784, Bulgaria Email: privacy@expertallies.com
When your employer or organization provisions the Service, your organization is typically the controller of Customer Data (incidents, evidence, vendor submissions, reports, etc.). We process Customer Data as a processor on their instructions, subject to contract and applicable law.
2. What data we collect
2.1 Account and profile data
- Work email, full name, and organization legal name (e.g. at registration)
- Tenant identifiers, role, and membership (e.g. tenant admin, compliance manager)
- Optional profile and organization fields (sector, UIC/EIK, classification, SSO configuration)
- Authentication identifiers managed through Amazon Cognito (and SAML where configured)
2.2 Customer Data (processor processing)
Data your organization stores in the Service, such as:
- Incident records, timelines, reports, and indicators
- Evidence files and metadata (including integrity hashes)
- Vendor questionnaire responses, attachments, and passport-related records
- Audit trail entries and workflow state
We do not use Customer Data for our own marketing. Access is limited to providing and securing the Service, support, and legal obligations.
2.3 Vendor portal users
External vendors may access limited flows via time-limited magic links and OTP without a standing Cognito account. We may process name, email, company name, and submission content in connection with a specific assessment or passport request.
2.4 Technical and security data
- IP address, browser type, device information, timestamps
- Logs needed for security, fraud prevention, and operations
- Append-only audit events for security-relevant actions
2.5 Payments (where enabled)
Vendor Compliance Passport purchases may use Stripe. Payment card data is handled by Stripe; we receive identifiers needed for reconciliation (e.g. customer, session, payment intent references).
2.6 AI features (where enabled)
If AI-assisted features are used, we minimize and mask personal data before sending content to external model providers, and store only sanitized prompts/responses in AI usage logs, per our architecture policies.
3. How we use data and legal bases (EEA/UK)
| Purpose | Legal basis (typical) |
|---|---|
| --------- | --------------------- |
| Provide and operate the Service | Contract / legitimate interest |
| Authentication, security, fraud prevention | Legitimate interest / legal obligation |
| Support and service communications | Contract / legitimate interest |
| Compliance with law | Legal obligation |
| Product improvement (aggregated, non-content analytics of operations) | Legitimate interest |
| Marketing to prospects (if any) | Consent |
Where we rely on consent, you may withdraw it without affecting prior processing.
4. Sharing and subprocessors
We share data only as needed to operate the Service:
- Infrastructure: Amazon Web Services in eu-central-1 (Frankfurt) — hosting, database (RDS PostgreSQL), object storage (S3), Cognito, SES, KMS, and related services
- Payments: Stripe (vendor passport flows, when enabled)
- AI providers: Only when features are enabled and with data minimization
- Professional advisers or authorities when required by law
We do not sell personal data. A current subprocessor list may be provided on request to privacy@expertallies.com.
5. International transfers
Production personal data is hosted in the European Union (AWS eu-central-1). If a subprocessor processes data outside the EEA (e.g. Stripe or an AI provider), we rely on appropriate safeguards such as Standard Contractual Clauses where required.
6. Retention
- Account data: While the account is active and for a reasonable period thereafter, plus periods required for legal claims or obligations
- Customer Data: According to Customer configuration, retention policies, and legal holds (default evidence retention targets are documented in product policy — typically multi-year retention with optional extension)
- Security logs: As needed for security and compliance, then deleted or anonymized
- Vendor access grants: Short default expiry windows (e.g. days) unless configured otherwise
When data is no longer needed, we delete or anonymize it where feasible.
7. Security
We implement technical and organizational measures including encryption at rest (KMS), TLS, tenant isolation (row-level security), access controls, MFA options for Cognito users, integrity hashing for evidence, and append-only audit logging. No method of transmission or storage is 100% secure.
8. Your rights
EEA/UK individuals may have rights to access, rectify, erase, restrict, port, and object to processing, and to lodge a complaint with a supervisory authority. See GDPR for details.
Contact: privacy@expertallies.com. We respond within applicable statutory timeframes.
If your organization controls Customer Data, direct many requests to your organization first; we will assist them as processor where required.
9. Children
The Service is not directed at children under 16. We do not knowingly collect children's data.
10. Changes
We may update this policy by posting a new version on the Site with an updated date. Material changes may be notified by email or in-product notice where appropriate.
11. Contact
Expert Allies LTD privacy@expertallies.com General support: support@nisium.com
This document is effective as of June 2, 2026. Material changes will be posted on this page.