Frequently asked questions

Varhugi teaches security awareness: what every employee needs to know to avoid causing a security incident by mistake. Topics include phishing, strong passwords, two-factor authentication, AI in the workplace, data protection, and social engineering. Varhugi does not cover technical cybersecurity, network defence, or incident response. This is awareness training for the whole staff, not a security operations tool.

Five minutes, one module per month. Short reading material followed by a five-question quiz. The whole point is that it fits into a real workday, not a half-day course nobody finishes.

Currently seventeen modules — you can see all of them at /namskra. The curriculum runs on a thirteen-month rolling cadence: every staff member goes through each module once a year and then refreshes. We add new modules regularly.

Not yet. It's on the roadmap for Pro Plus, but today the curriculum is fixed. You can adjust due dates per module and mark modules as required or optional for your organisation in /stjornbord/verkefni.

It rates your organisation's security awareness on a 0–100 scale. Weighted average of three factors: 50% completion rate of assigned modules, 30% average quiz pass rate, and 20% recency of training (older training drops the score). It's an internal trend metric, not a benchmark against other companies.

No. Varhugi handles the training piece of NIS2: staff awareness training and documented attendance. NIS2 also requires risk management, incident response plans, multi-factor authentication, supply-chain risk, board-level oversight, and other things Varhugi doesn't cover. You'll need additional tools and processes to meet NIS2 in full. Varhugi takes one of the many categories and makes it simple and audit-ready.

A one-click PDF with overall stats (how many staff completed each module), a per-employee table with each module's status, attempt dates, scores, and links to certificates. It's exactly what an auditor wants to see. You can pull a report for the previous month or for any custom date range.

Yes. In /stjornbord/verkefni you can change the due date for each module and mark it required or optional. The automated reminders (seven days before due, three days before, on the day, and three days after) use the dates you set.

The Postgres database lives at Neon in Frankfurt (EU). Certificates (PDF) are stored in Vercel Blob, also within the EU. Email is sent via Resend. All data stays inside the EU, which matters for GDPR and NIS2 compliance.

Three options: a magic link by email (default), Google SSO, and Microsoft SSO. No passwords are stored. SSO providers handle their own multi-factor. Sessions are managed by Auth.js v5 and cookies are HttpOnly and Secure when the connection is HTTPS.

Email hello@varhugi.is and we'll erase the data within thirty days, as GDPR requires. You can also remove the staff member from the company account on /stjornbord/starfsmenn, which revokes their access. Full erasure has to go through email because certificates are kept as documented evidence of completed training.

Yes, for Pro and enterprise customers. Reach out via /hafa-samband with details and we'll send a DPA for signature. Free and Lite plans rely on our standard terms, which are GDPR-compliant.

Yes. Monthly subscriptions cancel at the end of the current billing period (you keep access for what you already paid). Annual subscriptions run until the end of the year you paid for. No long-term contracts, no notice periods, no refunds on already-paid time.

Yes. Prices on /verd are excluding VAT. Twenty-four percent Icelandic VAT is added at checkout. You'll get an invoice you can use for VAT reclaim.

Yes, seventeen percent off compared to paying monthly (effectively two months free). Lite annual is 99,000 ISK/year, Pro is 9,900 ISK/seat/year. Charged once, renews automatically twelve months later.

About ten minutes. Create the company account, paste in your team's emails (or upload a CSV), pick a plan and you're going. The curriculum is auto-assigned on a thirteen-month rolling cadence and the reminders run themselves. No implementation calls, no sales calls.

Common problem — your staff get an email from an unfamiliar domain and assume it's phishing, which is ironic for an awareness-training tool. /stjornbord/tilkynningar has ready-to-paste announcements you can drop into Slack, Teams or company email before invitations go out, so your team knows the email is real and from you.

Yes, as many admins or department managers as you want. On Pro, a department manager can be scoped to their own department and only see their team, while admins keep org-wide visibility. Department management lives at /stjornbord/deildir.