Natalia Analytics security GDPR compliance, encryption, RBAC
Reference for CISOs and DPOs: data localization, encryption, pseudonymization, RBAC, audit, retention, breach notification, compliance roadmap.
- EU data only
- Encryption at-rest + in-transit
- Phone pseudonymization
- DPA art. 28 signed
- Breach notif < 72h
Data localization
CDR data is hosted exclusively in the European Union (Belgium): managed relational storage and managed object storage, EU residency guaranteed. No replica outside the EU. Application logs kept 30 days in the same region.
Encryption
At-rest
- Agent VM: vTPM-sealed key when available, salted cryptographic derivation as fallback, industry-standard encryption (NIST SP 800-175B algorithms) for configuration and disk buffer.
- Cloud: transparent encryption on managed datastores, master key held in a certified key management service (KMS) physically separated from the datastore.
In-transit
- TLS 1.2 minimum, TLS 1.3 preferred.
- Agent → API verifies the certificate chain, no skip option.
- Managed PKI with automated certificate rotation.
Phone number pseudonymization
At ingestion, each phone number is replaced by a per-tenant cryptographic pseudonym via salted derivation. Only the last 4 digits stay in clear for UI display.
The per-tenant secret is stored encrypted ; the master key sits in a certified KMS physically separated from the datastore.
Break-the-glass
Phone-reveal access requires a justification motive, lands in the immutable audit log, and triggers an alert to the tenant admin.
RBAC — three roles
| Permission | Viewer | Analyst | Admin |
|---|---|---|---|
cdr.read | ✓ | ✓ | ✓ |
cdr.export | — | ✓ | ✓ |
cdr.reveal_phone | — | — | ✓ |
api_key.manage | — | — | ✓ |
user.manage | — | — | ✓ |
audit.read | — | — | ✓ |
Admin authentication (MFA)
MFA mandatory on all cloud administrator accounts. Production infrastructure access transits a hardened bastion with short-lived credentials and full session recording.
Multi-tenant isolation
Strict logical isolation per tenant at every layer (API, datastore, object storage, audit log). Cross-tenant access is impossible by construction and validated on every deployment by automated isolation tests.
Agent appliance hardening
Lightweight virtual appliance, hardened image aligned with CIS Benchmark Level 1: minimal attack surface, no user shell, SSH disabled, no inbound network exposure beyond the encrypted outbound tunnel to the cloud.
Service continuity (RTO / RPO)
Regular backups, quarterly restoration drills. RTO 4h / RPO 24h. Backups encrypted, stored in the same EU region, never leave the European Union.
Audit log
Every admin action lands in an immutable audit log: who, what, when, source IP, user-agent, request ID. CSV export from the dashboard. Retention: 13 months (12 months + 1 month overlap for audits).
Retention
Default retention 12 months, configurable per tenant between 3 and 13 months via support. Nightly automatic purge of expired records (hard delete, not soft delete).
DPA and subprocessors
- GDPR art. 28 DPA signed electronically at subscription.
- AI engine: GDPR-compliant AI engine, no transfer of nominative personal data outside the EU (pseudonymization applied before any AI processing).
- Subprocessors list: an up-to-date subprocessors registry is available to customers under NDA upon request to [email protected].
- 30 days notification before any change to the subprocessor list.
Breach notification
GDPR article 33 commitment: notification within 72 hours of awareness of a personal data breach. Contact: [email protected].
Procedure: isolation of the compromised perimeter, forensic snapshot, CNIL notification, customer communication, public postmortem within 14 days.
Compliance roadmap
- SOC2 Type I: Q4 2026.
- ISO 27001: 2027 roadmap.
- Annual pen test.
- Vulnerability disclosure: see getnatalia.com/.well-known/security.txt.
API key rotation
API keys rotate from the admin portal. During rotation, previous and new keys both stay valid for a 7-day overlap window, enabling zero-downtime client migration.
Email to the tenant admin at rotation and 24h before the overlap window closes.