Documentation

Platform & Security Overview

ShieldBase is a multi-tenant, AI-powered NIS 2 compliance platform built for European SMBs and mid-market organisations. This page describes the platform capabilities, security architecture, and audit features in detail.

Platform

Core Capabilities

All 10 NIS 2 Article 21 measures covered on every tier — no modules to buy separately.

AI-Powered Gap Analysis

Answer 20 guided questions mapped to all 10 NIS 2 Article 21 measures. The AI engine identifies compliance gaps and produces an actionable remediation plan tailored to your sector and organisation size.

Policy Generator

Generate board-ready cybersecurity policies, procedures, and documentation that satisfy NIS 2 requirements. Each policy is contextualised to your industry, locale, and risk profile.

Risk Management

Interactive risk register with AI-assisted assessment, treatment plans, automatic risk scoring, and sector-specific threat scenarios pre-loaded for your industry.

Incident Management

24-hour incident reporting workflow with automated timelines, NCA notification templates, and post-incident analysis — fully aligned with NIS 2 Article 23 reporting obligations.

Supply Chain Security

Track and assess suppliers with automated questionnaires, risk scoring, and continuous monitoring to demonstrate Article 21(2)(d) supply chain due diligence.

Employee Training

Security awareness modules with AI-generated scenarios specific to your sector. Track completion rates for Article 21(2)(g) cyber hygiene compliance evidence.

Management Accountability

Document due diligence and oversight activities. Generate evidence of Article 20 governance compliance to demonstrate management body accountability.

Multi-Language Support

Full platform localisation in 8 EU languages: English, German, Croatian, Slovenian, Hungarian, Czech, Polish, and Romanian — with NCA contact details for each member state.

Security

Security Architecture

Enterprise-grade security built for regulated environments. Every layer — from authentication to data storage — is hardened and auditable.

Authentication & Access Control

Email + password with bcrypt hashing (cost 12)
Google & Microsoft OAuth 2.0 with PKCE S256
TOTP two-factor authentication (RFC 6238)
SAML SSO for enterprise organisations (Business tier)
Role-based access control: Admin, Approver, Editor, Reader
Session tokens with SHA-256 hashing and configurable expiry

Data Protection & Encryption

BYOK (Bring Your Own Key) envelope encryption (Business tier)
AES-256-GCM field-level encryption for sensitive data
DEK generation, wrap/unwrap, rotation, and revocation
All data stored in EU data centres (Supabase EU region)
TLS 1.3 for all data in transit

API Security Hardening

CSRF protection with Origin/Referer validation + custom headers
Security headers: HSTS, CSP, X-Frame-Options, Referrer-Policy
Global rate limiting (100 req/min) + auth rate limiting (10 req/min)
Request size limits (10 MB) to prevent payload attacks
Input validation with Zod schemas on every endpoint

Multi-Tenant Isolation

Row-Level Security (RLS) policies on all 13 tenant-scoped tables
Organisation-scoped queries with withOrgScope() helper
Cross-tenant IDOR protection audited and verified
Invitation-only team onboarding with token-expiry controls

Audit

Audit & Compliance Evidence

Every action is logged, every change is traceable. ShieldBase generates the evidence trail that auditors and NCAs require.

Compliance Change Log

Full before/after audit trail for all regulation compliance data changes. Every mutation across 20+ endpoints is instrumented with structured field-level diffs, JSONB snapshots, and IP address tracking — providing NIS 2 Article 21 compliance evidence.

Audit Log

Comprehensive audit log capturing all security-sensitive actions: team member invitations, role changes, member removals, policy approvals, SSO configuration changes, and encryption key operations — with user, IP address, and timestamp for every event.

Change History & Entity Timeline

Query the full change history for any compliance entity — policies, risks, incidents, suppliers, training records — with filtered search by regulation, entity type, user, action type, and date range. Every change is traceable to a specific user and timestamp.

SAML Assertion Logging

For Business-tier organisations using SAML SSO, all SAML assertions are logged with replay protection and automatic cleanup — providing a complete authentication audit trail for regulated environments.

Plans

Available Tiers

Transparent, predictable pricing. All tiers include the full compliance platform — upgrade for more users and enterprise features.

Starter

Up to 5 users

Full NIS 2 Article 21 coverage
AI gap analysis
Up to 5 AI policy documents
Basic risk register
Incident management (24h workflow)
Unlimited suppliers & employees
1 language
Email support

Professional

Up to 15 users

Everything in Starter, plus:
Unlimited AI policy documents
Advanced risk scoring
Board-ready compliance reports
Custom policy templates
Audit trail & evidence collection
Up to 4 languages
Priority email + chat support

Business

Unlimited users

Everything in Professional, plus:
All 8 EU languages
Export reports in English (parallel translation)
SAML SSO (single sign-on)
Bring Your Own Key (BYOK) encryption
API access + webhooks
Multi-regulation ready (DORA, GDPR)
Custom integrations

Technical

Technology Stack

Purpose-built for compliance workloads with modern, auditable infrastructure.

Frontend	Next.js 14 (App Router), React 18, Tailwind CSS, Framer Motion
Backend	Express + tRPC, Zod schema validation, session-based tokens
Database	PostgreSQL (Supabase) with Drizzle ORM, RLS, JSONB audit storage
AI	OpenAI GPT-4o with RAG retrieval, sector-aware prompt engineering
Auth	Credentials, Google OAuth, Microsoft OAuth, SAML SSO, TOTP 2FA
Encryption	AES-256-GCM, BYOK envelope encryption, SHA-256 token hashing
i18n	next-intl with 8 EU locales, per-NCA regulatory context
Hosting	EU data centres, TLS 1.3, security headers, CSRF + rate limiting