Nialli Visual Planner

Security for the Nialli Visual Planner service 

Last updated May 5, 2026

The information provided below relates to the Nialli® Visual Planner Security Practices. The Nialli Visual Planner Privacy Policy is available here.

For information relating to the Nialli General Security Practices and Privacy Policy, see the Nialli Security Practices and Nialli Privacy Policy.

Nialli Visual Planner overview

Nialli Visual Planner is a cloud-based digital alternative to traditional sticky‑note pull‑planning sessions, enabling construction teams to collaboratively plan, track, and adjust project schedules in real time.

It preserves the human‑centric, sticky‑note approach used in Lean Construction while adding the advantages of digital data capture, real‑time updates, remote collaboration, and analytics. Nialli Visual Planner is in the scope of our ISO/IEC 27001 aligned Information Security Management System (ISMS).

Microsoft® Azure™ security

Nialli Visual Planner is hosted on the Microsoft Azure platform. The service is segregated so that users can only access their services and data. All user interaction with Nialli Visual Planner is done via encrypted communications using industry‑standard TLS 1.2 or higher.

Microsoft Azure maintains certifications and attestations including:

• ISO/IEC 27001, 27018
• GDPR
• SOC1, 2, 3
• FedRAMP
• PCI DSS
• NIST security frameworks

More information about Microsoft Azure cloud services can be found at https://www.microsoft.com/en-us/trustcenter.

Auth0 by Okta Identity Platform

Nialli Visual Planner leverages Auth0 by Okta for all identity and access management (IAM) services.

Auth0 by Okta service states the following security and privacy accreditations:

• ISO/IEC 27001, 27017, and 27018
• SOC 2 Type II
• CSA STAR
• HIPAA
• PCI DSS
• GDPR

More information about Auth0 by Okta can be found at https://auth0.com/security.

Encryption and key management

Data within the Nialli Visual Planner service is encrypted using 256-bit AES encryption while at rest and Transport Layer Security (TLS) 1.2 or higher while in transit. We maintain an “A” ranking from Qualys SSL Labs (www.ssllabs.com) for our certificate, protocol support, key exchange and cipher strength. We use current, industry‑accepted cryptographic technologies and disable deprecated or insecure protocols and ciphers. Encryption controls are reviewed periodically and updated as new threats and best practices emerge.

Security controls are implemented to manage cryptographic keys throughout their lifecycle, including generation, storage, rotation, and revocation. Access to key management systems is restricted and monitored, and key management processes are automated where possible to reduce human error and limit access.

Account data

To provide the Nialli Visual Planner service to our users, we collect and store account data each time a new account is created. Account data includes a user’s first name, last name, email, authentication credentials, and company name. Account data is stored in Microsoft Azure in the United States. Authentication of user credentials is managed through Auth0 by Okta identity service in the United States. Additionally, we collect anonymous non-personally identifiable usage data about features of Nialli Visual Planner as feedback toward improving the application. Please see our Nialli Visual Planner Privacy Policy.

Application

Nialli Visual Planner is a cloud-based digital replacement for traditional sticky‑note pull‑planning sessions, allowing construction teams to collaboratively plan, track, and adjust project schedules in real time.

It mirrors the human‑centric, sticky‑note format used in Lean Construction while adding the benefits of digital data capture, real‑time updates, remote participation, and analytics.

Databases and storage

The Nialli Visual Planner service stores and retrieves data from an Azure SQL database in the United States, Canada, Europe, United Kingdom, or Australia. Data stored in the Azure SQL database is encrypted. Data residency depends on customer deployment configuration.

Security by design

Nialli follows a secure software development process that ensures security and privacy are integrated throughout every phase of the development life cycle, and formal procedures are in place to

• Define security requirements – which include threat modelling, metrics for reporting and security/privacy considerations during design review
• Secure development and testing – processes are in place to manage third-party components and tools; static analysis is performed during application build procedures; and dynamic analysis and penetration testing are conducted both internally and by external experts.
• Review security compliance – the software delivery process includes a final security review before deployment
• Respond to security incidents – established incident response and periodic disaster recovery testing procedures are in place
  

Monitoring and logging

We create, store, and continuously monitor a range of application and infrastructure logs for the Nialli Visual Planner service. This includes the use of database auditing and threat detection capabilities to track and assess actions performed against system resources and data stores.

The service employs active and continuous monitoring practices to detect changes, anomalous behavior, and potential security threats in near real time. Alerts are automatically generated when suspicious or unexpected activity is identified. These alerts are promptly reviewed and investigated by the development and information security teams.

This proactive monitoring approach enables timely detection of unauthorized access attempts, configuration changes, and emerging threats, supporting rapid response and helping to maintain the integrity, availability, and security of the service.

Technical security assessments

We regularly engage an independent, accredited security firm to perform vulnerability assessments and penetration testing on Nialli Visual Planner and its associated services. Any material vulnerabilities identified are promptly remediated and then independently retested to confirm effective resolution.

These assessments follow the Security Incident Response Team’s (STIRT) vulnerability assessment methodology, which is grounded in the Open-Source Security Testing Methodology Manual (OSSTMM) developed by the Institute for Security and Open Methodologies (ISECOM), and incorporates guidance from the OWASP® Web Application Security Testing Guide.

Assessments are conducted in alignment with product release cycles as well as at predefined periodic intervals to ensure ongoing security assurance.

Nialli Visual Planner service access security

The following controls govern access to the Nialli Visual Planner service.

User authentication and access

The Nialli Visual Planner service employs an authentication and authorization framework based on standard OAuth 2.0 protocols to securely identify and authorize users accessing system resources. Identity and account management are provided through the Auth0 by Okta Identity Platform.

In addition to native authentication, Nialli Visual Planner supports Business-to-Business (B2B) authentication, enabling secure authentication with other organizations. Through this capability, customers can integrate with their own identity providers and leverage customer-managed Single Sign-On (SSO) solutions (such as SAML 2.0 or OpenID Connect–compliant systems). This allows organizations to authenticate users through their existing identity platforms while enforcing their own authentication policies, including multi-factor authentication (MFA), password policies, and conditional access controls.

When a user creates a Nialli Visual Planner account, no permissions are granted by default, adhering to the principle of least privilege. Access is governed through role‑based access control (RBAC) and is managed at two distinct levels: Subscription level and Plan level.

Subscription Admins act as global administrators for the subscription. They have full administrative privileges and are responsible for assigning, managing, and revoking permissions for Plan Admins and other users. Subscription Admins also have the ability to designate additional Subscription Admins as required.

To reduce administrative risk and as a security best practice, organizations typically maintain a minimal number of Subscription Admins, typically a primary and secondary administrator. Day‑to‑day user access and permission management should be handled by these designated administrators, ensuring centralized oversight, clear accountability, and consistent enforcement of access controls.

 © 2026 Nialli Inc. All rights reserved. Nialli and the Nialli logo are trademarks or registered trademarks of Nialli Inc. in the United States, Canada and other countries. All third-party product and company names are for identification purposes only and may be trademarks of their respective owners. May 2026.