Your data is safe with us
We take security seriously. Here is how we protect your business data, payments, and personal information.
Encryption everywhere
- In transit: All connections are encrypted. Every page and API call is served over HTTPS.
- At rest: Your data is encrypted in our databases and backups.
- Secrets: API keys and credentials are stored in secure vaults, never in source code.
EU-based hosting
- Data residency: Your data is hosted in the EU (Frankfurt region) and stays within the European Economic Area.
- Backups: Automated daily backups with point-in-time recovery, stored separately from production.
- DDoS protection: Edge-level protection against distributed denial-of-service attacks.
Payment security
- Powered by Stripe: All payments are processed through Stripe, a PCI DSS Level 1 certified provider. We never see or store your card details.
- Strong authentication: Card payments use Strong Customer Authentication (SCA) for an extra layer of verification.
Account security
- Secure sign-in: Passwords are securely hashed. Google sign-in is available for passwordless access. Accounts lock after repeated failed attempts.
- Protection built in: Industry-standard defences against cross-site scripting, injection, and session attacks.
GDPR and your data rights
- GDPR compliant: We process personal data lawfully and transparently. You can request access, correction, or deletion at any time.
- Data export: Export your contracts, invoices, and time entries as PDFs whenever you want. Your data is never held hostage.
- Data retention: After you request account deletion, your data stays recoverable for 30 days, then your personal details are permanently scrubbed. Financial records are kept anonymised for 10 years to meet financial-record retention law.
- Cookie consent: Granular, opt-in cookie consent following ICO and PECR guidelines. Analytics and chat are off by default.
Responsible disclosure
Found a security issue? We appreciate responsible disclosure. Please email us directly and we will respond within 48 hours.
security@hellonoa.comSecurity questions
Where is my data stored?
Your data is hosted in the EU (Frankfurt region) and stays within the European Economic Area. We use encrypted databases with automated daily backups and point-in-time recovery.
Do you sell my data?
No. We never sell or monetise your data. We only share data with the service providers we need to run HelloNoa (for example, our payment processor, EU hosting and storage, e-signature and email delivery providers). These sub-processors are listed in our Privacy Policy and are bound by data-processing agreements. We comply fully with UK GDPR, the UK Data Protection Act 2018 and the Swiss Federal Act on Data Protection.
How are payments secured?
All payments are processed through Stripe, a PCI DSS Level 1 certified provider. We never see or store your card details. Card payments use Strong Customer Authentication (SCA) for extra verification.
Can I export or delete my data?
Yes. You can export your contracts, invoices, and time entries as PDFs at any time. If you delete your account, there's a 30-day grace period in case you change your mind, then we remove your personal details. Invoices and contracts are kept, with your personal data stripped out, only as long as financial-record retention law requires (10 years).
Is HelloNoa GDPR compliant?
Yes. We process personal data lawfully and transparently. You can request access, correction, or deletion at any time. Our cookie consent follows ICO and PECR guidelines, so analytics and chat are off by default.
Ready to try HelloNoa?
Your data is safe. Your contracts are lawyer-reviewed. Your payments are protected by Stripe.