Facts about NNSFlow

NNSFlow is a negative news, adverse media, and sanctions screening platform for Swiss financial institutions. It is built so that every screening produces a tamper-evident, audit-defensible evidence trail rather than a summary or notes. Each source reviewed during a screening is captured in full, hashed with SHA-256, and frozen at the moment of decision.

NNSFlow is built by Antoine Bedaton, founder of PentaLab and a Critical System Engineer at Eurocontrol, the European air-traffic-control agency. PentaLab is a Belgian software company based in Brussels, focused on tools for regulated industries.

Compliance teams must be able to prove what they reviewed when clearing a client. Most screening tools store only summaries, notes, or lists of URLs. When a regulator asks years later what was actually visible at decision time, those records cannot answer the question. NNSFlow stores the full content of every reviewed source, hashes it for integrity, and freezes both the content and the search configuration at decision time.

Today the only plan sold is Enterprise, custom-priced, including on-premise deployment via Docker Compose. Three additional tiers are planned for the Cloud SaaS launch: Starter (free, 5 investigations per month for a single user), Professional (CHF 249 per month, 50 investigations per month), and Team (CHF 749 per month, 200 investigations per month, up to 5 users). At launch, prices in CHF will be billed exactly; other currencies on the pricing page will be exchange-rate estimates.

On-premise is available today; Cloud SaaS is on the roadmap. The on-premise deployment via Docker Compose runs the full stack inside the customer's own environment and supports air-gapped and no-egress network segments. On-premise is included on the Enterprise plan. Cloud SaaS, when it launches, will be managed by NNSFlow and hosted on dedicated bare-metal servers at OVH Roubaix, France (EU jurisdiction, GDPR-aligned, no shared multi-tenant compute).

Not currently. Independent certifications are on the roadmap. Until then, security architecture and controls are documented and reviewed with prospective customers during procurement on a case-by-case basis. The product is built around the technical controls that Swiss compliance audits emphasise: tamper-evident evidence, retention enforcement, role-based access, and audit logging.

On-premise is the only deployment available today: customer data stays inside the customer's own infrastructure and never leaves the customer's network. When Cloud SaaS launches, all customer data will be stored on dedicated bare-metal servers in OVH's Roubaix data centre in France. The planned infrastructure is single-tenant, EU-jurisdiction, and GDPR-aligned.

The marketing site and product interface are available in English, French, and German. Documentation and the engineering and compliance blog are currently English-only by design. Translating regulatory content with subtle errors hurts credibility more than missing translations would.

Completed screenings, evidence snapshots, and audit logs are retained for 10 years from the decision date, aligning with Swiss AML documentation requirements. Abandoned investigations (drafts that were never completed) are automatically purged after 90 days. Both periods are configurable for enterprise deployments. Every deletion event is recorded in the audit log with timestamp, actor, and authorisation context.

NNSFlow integrates with OpenSanctions (queried through a Yente sidecar) for sanctions and politically-exposed-person screening. The integration is available on Professional and higher plans. The same architecture supports alternative providers (LSEG World-Check, Factiva, etc.). OpenSanctions is the default because it is open data, regulator-friendly, and avoids proprietary licensing constraints.

TLS 1.2 and 1.3 in transit, with ECDHE and AES-GCM cipher suites enforced at the reverse proxy. AES-256-GCM at rest for third-party integration credentials (sanctions provider keys, search API keys, etc.). SHA-256 hashing of every evidence snapshot at capture time, allowing later cryptographic verification that the evidence has not been modified.

NNSFlow is designed around Swiss AMLA, AMLO-FINMA and the related FINMA circulars; the Swiss nFADP (New Federal Act on Data Protection); and GDPR Article 6 (legal-obligation and legitimate-interest grounds). The design priorities are documentary traceability and the ability to reconstruct exactly what evidence was reviewed at decision time, which are the controls Swiss compliance audits emphasise.