You trust us to encrypt your data.
That’s why we treat it like our own.

We believe in real transparency and will always tell you how we protect your most valuable asset.


  • Privacy

    Privacy statement

    Our privacy policy is simple; what is yours, remains yours.

    Nimbox does not hold any personal information outside of that which it explicitly needs to provide your services. We do not have access to your encrypted files, associated keys, or account passwords.

    We do, with your consent, collect the information that you provide to us when you browse our website, use our contact forms, send us an email, or subscribe to our services. This information includes your name, email address, telephone number, and billing details. This information is stored in the United Kingdom, and shall never leave her borders.

    The information that we hold about you will never be sold or given to a third party, without your written consent. We may occasionally be presented with warrants demanding access to your data; we comply with all valid legal demands for the little information we hold.

    After your contract with us has ended, we shall promptly and permanently delete your information from our systems and records, apart from those data that we must retain to meet our statutory responsibilities (such as details of invoices sent to you).

    You have a right to know what information we hold about you, and you can request this at any time. We don’t charge a fee for you to access data that we hold about you, and you can make the request by contacting us.

    We’re transparent

    If our systems are ever compromised, we promise to inform users immediately after an incident, and will self-report to the Information Commissioner.

    An incident would include any breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, your personal or corporate data.

    We’ll notify affected users first, and then publish details of the breach on our blog.


    If you feel that your privacy, trust or security has been compromised, let us know, and we’ll work with you to make it right.

    If, for any reason, you feel that we haven’t made it right, you may contact our supervisory authority, the Information Commissioner’s Office.

  • Compliance


    Nimbox exists to secure your data and, as you would expect, we’re compliant with some of the most stringent regulatory standards in the world.

    We operate our infrastructure exclusively in ISO27001:2013 certified data centres, and your service is provisioned and maintained by an ISO27001:2013 certified team.

    Our service and software is fully compliant with HMG’s Cloud Security Principles, and aligned with CESG’s Good Practice Guides. We have built our service around the technical and policy controls that are suggested by these programmes. As such, our service can host information that is classified up to OFFICIAL under the UK Government Protective Marking Scheme.

    By hosting on infrastructure that we control, we ensure that data is stored in named locations in the United Kingdom, and that it will never reside outside of her sovereign borders.


    Our data centres, and technical service provision team, all hold current ISO27001:2013 certifications. As part of this, we operate a robust Information Security Management System, which helps us to appreciate, and mitigate technical risk at every level of our organisation.

    Cyber Essentials

    We hold a Certificate of Assurance that testifies to our compliance with the requirements of the UK Government Cyber Essentials Scheme. You may view our certificate here.

    Crown Commercial Service Supplier

    We’re listed in the Digital Marketplace, and hold a current Crown Commercial Services Framework Agreement (G-Cloud 9), covering government procurement of our services. You may view our listing here.

    Solicitors Regulation Authority

    Our service is fully compliant with the SRA’s Code of Conduct. You may download our CoC fact sheet here.


    We’re insured by Hiscox Insurance Company for the following business activities:

    • Public and Products Liability; £1,000,000
    • Professional Indemnity; £5,000,000
    • Employers’ Liability; £10,000,000
  • Legal Requests

    Legal requests

    Nimbox’s founders have over 40 years of data hosting and information security experience. We have learned a lot over this time. We are transparent about what we can and cannot protect. We think it’s important that our customers know how Nimbox responds to government demands for user data. It’s important for law enforcement organisations to know this, too.

    We are a law-abiding company, and as such we comply with legal requests that are in the letter and spirit of the law, in the jurisdictions where we must. Presently, this would be those authorised by the Courts of England and Wales.

    We have designed our services to hold a minimal amount of information, such that any legal disclosure we must make reveals only a small amount of personal information, as set out in our Privacy Statement. We do not hold the encryption keys to your data, and are unable to decrypt your files under any circumstances. Against this backdrop, we must and will comply with binding legal requests for data.

    Before we release any information to law enforcement or other agencies, we, and our council, will evaluate the request to ensure it complies with the letter and spirit of the law. Like our fellow privacy-first companies, and when possible, we will notify affected users to give you a chance to object to the disclosure.

    Submitting a request

    If you are a law enforcement or other agency, and wish to serve a warrant or other legal request for user data, you may write to us at:

    Disclosure Team,
    The Waterscape,
    LS5 3EG


Additional documentation

Service Overview PDF

Get started for just £8 a month Grab your free premium trial