Try free

Security

How we protect the evidence you trust us with.

Norven is a compliance product. A bug here is not "oops"; it is a breach of the trust we sell. The controls below are P0 always, not best-effort.

Engineering posture

Six commitments, enforced in CI.

Per-tenant isolation

Every tenant-scoped table is protected by row-level security at the database layer. Cross-tenant access is enforced as a hard boundary, not a convention, and verified by automated tests on every change.

Encryption everywhere

TLS 1.2+ in transit, AES-256 at rest. Per-tenant data encryption keys, with customer-managed encryption keys (CMEK) on the Enterprise tier.

Credentials in a dedicated vault

Customer OAuth tokens, API keys, and service-account credentials are held in a dedicated secrets store. They never appear in application configuration, logs, or error messages.

Immutable evidence

Evidence artifacts are hashed on ingest with SHA-256 and stored append-only. "Deletes" are soft-deletes recorded with reason, actor, and timestamp. The original record remains for the retention window.

A real audit log

Every read and write of evidence is recorded in an append-only audit trail, separate from application logs. The trail is itself the artifact your auditor reviews.

MFA enforced for admins

Multi-factor authentication is required for all admin roles. SAML SSO available on Enterprise. Magic link and Google SSO for everyday access.

Current state

Where we are, today.

We are honest about what is in production versus what is on the roadmap. If a row reads "In progress," it means exactly that, not a marketing dodge.

SOC 2 Type II
In progress; Type I bridge planned
ISO 27001:2022
On the roadmap
Penetration testing
Annual third-party assessment
Data residency
EU primary; additional residency options on Enterprise
Backups
Point-in-time recovery, 35-day window
Uptime target
99.9% rolling 30-day

Report a vulnerability

Good-faith research is welcome. Get in touch.

Send disclosures to security@norven.app. We acknowledge within 24 hours, never penalize good-faith research, and credit researchers who request it.