Built for regulated records

Security & compliance at NDMS.

Contracts, loan files and compliance records are among the most sensitive data a business holds. Here is exactly how NDMS isolates, protects, retains and disposes of yours β€” written plainly, for the people who have to sign off on it.

Start free β†’ Talk to us about a review
Honest framing

NDMS is architected to help you meet common records, privacy and retention obligations. We are not currently independently certified against ISO 27001, SOC 2 or similar. Where we say "aligned", we mean our defaults and controls are designed to support your obligations β€” not that a third party has audited us. We'll tell you the same thing on a call.

Tenant isolation β€” enforced at the database

Every tenant's documents, users, signatures and audit records live behind Postgres row-level security (RLS). Each query is automatically scoped to a single tenant, and the application connects as a non-privileged database role β€” so isolation holds even if application code has a bug. It is defence in depth, not a filter someone can forget to add.

On top of that, each tenant can carry its own KMS encryption key, so records are cryptographically separated even though they share infrastructure. One tenant's documents cannot surface in another's search, export or audit view. Ever.

Data residency β€” one region, your choice

NDMS deploys per-region. Your documents, database, search index and archives all live in a single AWS region β€” and we can stand your instance up in the region your policy or customers require (for example an EU or Asia-Pacific region). Your data does not fan out across regions for storage or processing.

Encryption, in transit and at rest

Everything you see in the console is served over HTTPS/TLS, and documents are stored encrypted at rest in object storage β€” optionally under a per-tenant KMS key. Uploads and downloads use short-lived, signed URLs scoped to your tenant, never a public path.

Retention, disposition & WORM immutability

Records don't just pile up. You attach a retention policy β€” how long a document stays active, how long it's archived, and what happens at the end (delete, anonymise, or legal hold). NDMS runs that schedule for you: it transitions aged documents to cold storage and disposes them when their window truly elapses.

Archived records are written to S3 Object Lock (WORM) in compliance mode β€” they cannot be altered or deleted before the retention period ends, not even by an administrator. That's the difference between "we have a policy" and "the storage physically enforces it."

An append-only audit trail

Every meaningful action β€” a view, an edit, a signature, an archival, a disposal β€” is written to an append-only audit log with the actor, the time and the tenant. When someone asks "who could see this, and what happened to it?", you answer from the record, not from memory.

Passwordless, two-factor access

There are no passwords to phish, leak or reset. Signing in takes two factors every time: a one-time code sent to your email, plus a code from your authenticator app. Access inside a tenant is governed by role-based access control, so people see only what their role allows β€” in live search and archives alike.

Export & erasure β€” your data, your call

You can export your documents and, subject to any active legal hold or WORM retention window, erase records or your whole tenant on request. There's no proprietary format holding your data hostage. When you leave, your data leaves with you or is destroyed β€” your choice.

At a glance

Isolation

Row-level security per tenant, a non-privileged DB role, and optional per-tenant KMS keys.

RLS Β· per-tenant KMS

Immutability

Archived records are Object-Lock (WORM) β€” unchangeable until retention truly elapses.

S3 Object Lock Β· compliance mode

Access

Passwordless 2FA (email code + authenticator) and role-based access control throughout.

2FA Β· RBAC

Accountability

Append-only audit log of every view, edit, signature, archival and disposal.

Append-only Β· audited