Last updated: 25 March 2026
Privacy Policy
KNF Technologies ("Konforme", "we", "us", "our") is committed to protecting your privacy. This policy explains how we collect, use, store, and protect personal data when you use our website (konforme.io) and our NIS2 compliance platform (app.konforme.io).
Konforme is the data controller for account and usage data. When you add employee data to our platform (e.g. for training campaigns), Konforme acts as a data processor on your behalf.
1. Who we are
| Company | KNF Technologies |
| Registered in | European Union |
| Contact | konform@konforme.io |
| Data hosting | EU data centres only |
2. Data we collect
2.1 Account data
When you create an account, we collect:
- Email address — for authentication, notifications, and communication
- Password — stored as a one-way cryptographic hash, never in plain text
- Organisation name — to identify your company within the platform
- Country — to provide country-specific NIS2 compliance data
2.2 Team member data
If you invite team members to your organisation, we collect their:
- Email address
- Name (once they accept the invitation)
- Role within the platform (owner, admin, or member)
2.3 Cloud credentials
To scan your cloud infrastructure, we collect:
- AWS — IAM access key, secret key, or role ARN (read-only access)
- Azure — Tenant ID, Client ID, Client Secret, Subscription ID (read-only access)
Cloud credentials are encrypted at rest before storage. We only request read-only permissions — Konforme never modifies your cloud infrastructure.
2.4 Compliance data
As you use the platform, we store:
- Assessment responses (your answers to NIS2 maturity questions)
- Control statuses, assigned owners, due dates, and notes
- Scan results (findings from your cloud infrastructure scans)
- Evidence files you upload for audit purposes
- Compliance scores and report data
2.5 Employee campaign data
If you create employee training campaigns, you may provide:
- Employee names, email addresses, and departments
- Quiz responses and scores
- Policy acknowledgment records and completion timestamps
Important: For employee campaign data, you are the data controller and Konforme is the data processor. You are responsible for having a lawful basis to process your employees' data and for informing them accordingly.
2.6 Technical data
We automatically collect:
- Authentication tokens — session cookies (JWT) for secure access
- Audit logs — records of authentication events, scans, and configuration changes
- IP addresses — for rate limiting and abuse prevention (not stored long-term)
3. How we use your data
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Provide the platform | Account, compliance, scan data | Contract performance — Art. 6(1)(b) |
| Scan cloud infrastructure | Cloud credentials | Contract performance — Art. 6(1)(b) |
| Send service emails | Email address | Contract performance — Art. 6(1)(b) |
| Team collaboration | Team member emails, roles | Legitimate interest — Art. 6(1)(f) |
| Employee campaigns | Employee names, emails, scores | Legitimate interest — Art. 6(1)(f) |
| Security & abuse prevention | IP addresses, audit logs | Legitimate interest — Art. 6(1)(f) |
| Email verification | Email address | Contract performance — Art. 6(1)(b) |
We do not use your data for advertising, profiling, or sale to third parties. Ever.
4. Data storage & security
- Location: All data is processed and stored in EU data centres. No data is transferred to countries outside the European Economic Area.
- Encryption at rest: Cloud credentials and sensitive data are encrypted before storage.
- Encryption in transit: All connections use TLS/HTTPS. HSTS is enforced.
- Password security: Passwords are hashed using industry-standard one-way cryptographic algorithms. We never store plain-text passwords.
- Access control: Platform access is restricted by role (owner, admin, member). Each organisation's data is isolated.
- Rate limiting: API endpoints are rate-limited to prevent abuse.
- Account lockout: Accounts are temporarily locked after repeated failed login attempts.
5. Sub-processors
We use the following third-party services to operate Konforme:
| Sub-processor | Purpose | Data shared | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Application hosting & infrastructure | All platform data (encrypted) | EU region |
| Resend | Transactional email delivery | Email addresses, email content | See Resend DPA |
| Netlify | Website hosting (marketing site only) | Static assets only — no personal data | CDN |
We do not share your data with any other third parties. Cloud scanning is performed by connecting directly to your own AWS or Azure account — your cloud data stays in your account.
6. Cookies
Konforme uses only essential cookies required for the platform to function:
| Cookie | Purpose | Duration |
|---|---|---|
| Access token | Authenticates your session | 15 minutes |
| Refresh token | Renews your session securely | 7 days |
| CSRF token | Protects against cross-site request forgery | Session |
We do not use analytics cookies, advertising cookies, or third-party tracking cookies. No cookie consent banner is required because we only use strictly necessary cookies (GDPR Recital 30, ePrivacy Directive Art. 5(3)).
7. Data retention
| Data type | Retention period |
|---|---|
| Account data | Until you delete your account |
| Compliance data (assessments, controls, scans) | Until you delete your account |
| Cloud credentials | Until you remove them or delete your account |
| Employee campaign data | Until you delete the campaign or your account |
| Evidence files | Until you delete them or your account |
| Audit logs | 12 months, then automatically deleted |
| Email verification tokens | 24 hours |
| Password reset tokens | 1 hour |
| Team invitation tokens | 7 days |
When you delete your account, all associated data is permanently deleted within 30 days.
8. Your rights under GDPR
As an EU resident, you have the following rights:
- Right of access (Art. 15) — request a copy of the personal data we hold about you
- Right to rectification (Art. 16) — correct inaccurate personal data
- Right to erasure (Art. 17) — request deletion of your personal data ("right to be forgotten")
- Right to restrict processing (Art. 18) — limit how we use your data
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
- Right to object (Art. 21) — object to processing based on legitimate interest
- Right to withdraw consent (Art. 7) — where processing is based on consent, withdraw it at any time
To exercise any of these rights, email konform@konforme.io. We will respond within 30 days.
You also have the right to lodge a complaint with your national data protection authority if you believe your rights have been violated.
9. Data processing agreement
When you use Konforme to process employee data (e.g. training campaigns), we act as a data processor under GDPR Article 28. A Data Processing Agreement (DPA) is available on request — contact konform@konforme.io.
10. International data transfers
All data is stored and processed within the European Economic Area (EEA). We do not transfer personal data to countries outside the EEA. If this changes in the future, we will ensure appropriate safeguards are in place (e.g. Standard Contractual Clauses) and update this policy accordingly.
11. Children's data
Konforme is a business-to-business platform. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it.
12. Changes to this policy
We may update this privacy policy from time to time. When we make material changes, we will notify you by email or through a notice on our platform. The "Last updated" date at the top of this page indicates when the policy was last revised.
13. Contact
For any privacy-related questions, requests, or concerns:
- Email: konform@konforme.io
- Company: KNF Technologies