Security
Norven is a compliance product. A bug here is not "oops" — it is a breach of the trust we sell. The controls below are P0 always, not best-effort.
Engineering posture
Every tenant-scoped table is protected by Postgres Row-Level Security. Cross-tenant joins are forbidden outside platform-admin tooling. A tenant-isolation test for every table is mandatory at PR time.
TLS 1.2+ in transit, AES-256 at rest. Per-tenant data encryption keys, with customer-managed encryption keys (CMEK) on the Enterprise tier.
Customer OAuth tokens, API keys, and service-account JSONs live in Supabase Vault. Direct env access for customer credentials is a code-review block. Secrets never appear in logs or error messages.
Evidence artifacts are hashed on ingest with SHA-256 and stored append-only. "Deletes" are soft-deletes recorded with reason, actor, and timestamp — the original record remains for the retention window.
Every read and write of evidence is recorded in an append-only audit_log table, separate from application logs. The audit trail is itself the artifact your auditor reviews.
Multi-factor authentication is required for all admin roles. SAML SSO available on Enterprise. Magic link + Google SSO for everyday access.
Current state
We are honest about what is in production versus what is on the roadmap. If a row reads "In progress," it means exactly that — not a marketing dodge.
Report a vulnerability
Send disclosures to security@norven.app. We acknowledge within 24 hours, never penalize good-faith research, and credit researchers who request it.
