Try free

Legal · Sub-processors

Sub-processors.

The third parties Norven uses to operate the platform on customers' behalf. Forms part of every customer Data Processing Addendum.

Customers receive 30 days' notice before a new sub-processor is added, with the opportunity to object on reasonable grounds. To receive these notifications, contact dpa@norven.app.

Supabase Inc.

Role
Database, authentication, file storage, and secrets vault (Postgres + Auth + Storage + Vault).
Data categories
All tenant content: control implementations, evidence metadata, audit log, policies, vendors, risks, assessments, encrypted customer integration credentials.
Region
European Union — eu-central-1 (Frankfurt). Migration to AWS il-central-1 (Tel Aviv) is planned for month 6–9.
Transfer mechanism
EU-located processing; SCCs apply where Supabase Inc. (US controller) accesses the EU infrastructure.

Cloudflare, Inc.

Role
DNS, CDN, edge compute. Hosts the customer-facing product (apps/web on Cloudflare Workers at secure.norven.app) and the marketing site (apps/marketing on Cloudflare Pages at norven.app).
Data categories
Request metadata for every page load. No customer evidence or content passes through Workers without already being authenticated and bound to the tenant by Supabase RLS.
Region
Global edge network. Cloudflare's logs are stored in the US.
Transfer mechanism
Cloudflare Data Processing Addendum incorporating the 2021 SCCs.

Railway Corp.

Role
Hosting for the NestJS API (apps/api at api.norven.app).
Data categories
All API request data, in-process during request handling. No persistent storage of customer content on Railway — Postgres is on Supabase, evidence files are on Supabase Storage, secrets are in Supabase Vault.
Region
europe-west (Amsterdam). Selected to keep latency low to Supabase eu-central-1.
Transfer mechanism
Railway operates from the US; EU processing region selected. SCCs available on request.

Functional Software, Inc. (dba Sentry)

Role
Application error tracking and observability for the marketing + product web surfaces. apps/api Sentry integration is on the polish list and not in production today.
Data categories
Stack traces, sanitized request metadata. The Sentry beforeSend hook (apps/web/src/lib/sentry/sanitize-event.ts) strips request bodies, cookies, auth headers, JWT/OAuth/bearer tokens, Postgres connection strings, SQL VALUES clauses, and stack-frame local variables before events are transmitted. A 17-case contract test in apps/web locks the redaction policy.
Region
European Union — Frankfurt region selected on the Sentry account.
Transfer mechanism
Sentry DPA incorporating the 2021 SCCs.

Anthropic, PBC

Role
Large-language-model inference for the AI-assistant features: AI policy drafting, AI policy gap analysis, AI evidence review, and the AI questionnaire suite. Each feature can be disabled by unsetting ANTHROPIC_API_KEY in apps/api.
Data categories
Control catalog excerpts (same content as the public marketing site), the tenant's control_implementation narratives (customer-private but bounded), evidence artifact metadata only — source, connectorId, collectedAt, mimeType, sizeBytes, connector-supplied metadata jsonb. Norven deliberately does NOT send evidence artifact bodies to Anthropic — see the comment block in evidence-review.service.ts that locks this in.
Region
United States.
Transfer mechanism
Anthropic Commercial Terms of Service. Customer inputs are not used to train Anthropic models. Inputs are stored for up to 30 days for trust & safety review, then deleted. Zero Data Retention (ZDR) available on Anthropic Enterprise — required before processing protected health information.

How to be notified of changes

Email dpa@norven.app with the subject "sub-processor notifications" and the email address you want notices sent to. We will email you at least 30 days before adding a new sub-processor, including the role the new sub-processor will play and the data categories it will see. You may object on reasonable grounds; if we cannot accommodate the objection, you may terminate the subscription on the terms set out in the DPA.

Sub-processors we do NOT use

For transparency: Norven does not use Vercel, Fly.io, AWS ECS / Fargate, Heroku, Render, Netlify, AWS Amplify, Cloud Run, or any hosted Redis service (Upstash, ElastiCache, etc.) in production today. Customer data does not flow through any analytics or marketing-attribution sub-processor.

Questions about this list, or want a signed PDF copy for your records? Email dpa@norven.app.