Your data. Locked down. End to end.

NoSky is built on the same security principles used by banks and defense contractors — because backup is only as good as its worst day.

Verified

Certifications & compliance

Independently audited and verified by leading certification bodies.

🔒
ISO 27001:2022
Information security management
🛡️
SOC 2 Type II
Security & availability controls
🇪🇺
GDPR
EU data protection regulation
🏥
HIPAA
Healthcare data compliance
🇮🇳
DPDP Act
India data protection
💳
PCI-DSS L1
Payment card industry standard
☁️
CSA STAR
Cloud security alliance
Architecture

Encryption architecture

Multiple layers of encryption protect your data at every stage.

🔐

In transit

TLS 1.3 with perfect forward secrecy. Every byte between your systems and NoSky is encrypted with the latest transport layer security protocol.

💾

At rest

AES-256-GCM with FIPS 140-2 validated modules. Your backup data is encrypted before it is written to disk and remains encrypted throughout its lifecycle.

🔑

Key management

HSM-backed key management. Customer-managed keys (BYOK) available on Enterprise plans. Automatic key rotation with configurable policies.

👁️‍🗨️

Zero-knowledge

On Enterprise plans with CMEK, NoSky staff cannot decrypt customer data even under subpoena. Your keys, your data, your control.

Data Flow Architecture

💻Your Data
🔧NoSky Agent
🔒TLS 1.3
☁️Cloud
🔑HSM
💾Immutable S3
Regions

Data residency

Choose where your data lives. Stay compliant with local regulations.

RegionRegulatory FrameworkStatus
🇮🇳India (Mumbai)DPDP ActActive
🇸🇬SingaporePDPAActive
🇩🇪Germany (Frankfurt)GDPR / BDSGActive
🇺🇸USA (Virginia)HIPAA / FedRAMP-readyActive
🇦🇪UAE (Dubai)PDPLComing Q4 2026
Operations

Operational security

Security isn't just technology — it's process, people, and culture.

🔍

Penetration testing

External, quarterly, performed by CREST-certified security firms. Results remediated within 30 days.

🐛

Bug bounty program

Public HackerOne program with bounties up to $10,000. Responsible disclosure policy published.

🔐

Access controls

SSO/SAML, mandatory MFA, least-privilege access, quarterly access reviews by CISO.

👤

Employee security

Background checks for all employees. Annual security training and phishing simulations.

📡

24×7 Security Operations Center

Continuous threat monitoring. Customer notification within 24 hours of confirmed incident.

🏢

Business continuity

BCP tested twice yearly. RTO of 4 hours for the NoSky control plane. Geo-redundant infrastructure.

Documents

Compliance & legal

Download our compliance documentation.

FrameworkStatusDocument
SOC 2 Type IIAttestedSOC 2 ReportRequest →
ISO 27001:2022CertifiedISO CertificateRequest →
GDPRCompliantDPA + SCCsRequest →
HIPAACompliantBAARequest →
DPDP ActCompliantCompliance StatementRequest →
PCI-DSSLevel 1AOCRequest →
Transparency

Subprocessors

Full transparency on every third party that processes data on our behalf.

ProviderPurposeRegionData Category
AWSCloud infrastructure & storageMumbai, Singapore, Frankfurt, VirginiaCustomer backup data
CloudflareCDN & DDoS protectionGlobal edgeHTTP metadata only
StripePayment processingUSABilling information
SendGridTransactional emailUSAEmail addresses
DatadogInfrastructure monitoringUSAOperational metrics

We provide 30-day advance notice of any subprocessor changes.Subscribe to updates →

FAQ

Security FAQ

Common questions about NoSky's security practices.

On Standard and Business plans, NoSky staff have theoretical access to encrypted data for support purposes, but all access is logged, audited, and requires multi-party approval. On Enterprise plans with customer-managed keys (CMEK), NoSky implements zero-knowledge architecture where our staff cannot decrypt your data even under subpoena.
NoSky publishes a transparency report annually. We evaluate every request for legal validity, narrow scope, and jurisdictional authority. We notify customers of requests unless legally prohibited. We have never provided bulk surveillance access and we commit to challenging overbroad requests.
Yes. NoSky is fully compliant with India's Digital Personal Data Protection Act (2023). We offer data residency in Mumbai, have appointed a Data Protection Officer, provide data portability and erasure mechanisms, and publish our compliance statement publicly.
NoSky operates from four AWS regions: Mumbai (India), Singapore, Frankfurt (Germany), and Virginia (USA). A fifth region in Dubai (UAE) is planned for Q4 2026. Customers choose their data residency region at signup.
We maintain a comprehensive incident response plan tested twice yearly. In the event of a confirmed security incident, we notify affected customers within 24 hours per our commitment (exceeding the 72-hour GDPR requirement). Our 24×7 SOC monitors for threats continuously.
Standard encryption keys are managed by NoSky using HSM-backed key management (FIPS 140-2 validated). Enterprise customers can bring their own keys (BYOK/CMEK) for full control. Key rotation is automatic and configurable.
Yes. We conduct quarterly external penetration tests by CREST-certified firms. Additionally, we run a public bug bounty program on HackerOne. Internal security assessments are performed continuously by our security team.
All NoSky employees undergo background checks and annual security training. We enforce least-privilege access, mandatory MFA, and SSO/SAML. Access to customer data requires multi-party approval with full audit logging. Quarterly access reviews are conducted by our CISO.

Your data deserves enterprise-grade protection.

AES-256 encryption. Immutable storage. ISO 27001 certified.