Security
Norven is a compliance product. A bug here is not "oops"; it is a breach of the trust we sell. The controls below are P0 always, not best-effort.
Engineering posture
Every tenant-scoped table is protected by row-level security at the database layer. Cross-tenant access is enforced as a hard boundary, not a convention, and verified by automated tests on every change.
TLS 1.2+ in transit, AES-256 at rest. Per-tenant data encryption keys, with customer-managed encryption keys (CMEK) on the Enterprise tier.
Customer OAuth tokens, API keys, and service-account credentials are held in a dedicated secrets store. They never appear in application configuration, logs, or error messages.
Evidence artifacts are hashed on ingest with SHA-256 and stored append-only. "Deletes" are soft-deletes recorded with reason, actor, and timestamp. The original record remains for the retention window.
Every read and write of evidence is recorded in an append-only audit trail, separate from application logs. The trail is itself the artifact your auditor reviews.
Multi-factor authentication is required for all admin roles. SAML SSO available on Enterprise. Magic link and Google SSO for everyday access.
Current state
We are honest about what is in production versus what is on the roadmap. If a row reads "In progress," it means exactly that, not a marketing dodge.
Report a vulnerability
Send disclosures to security@norven.app. We acknowledge within 24 hours, never penalize good-faith research, and credit researchers who request it.