Security at Norvius
Built with security as a foundation, not an afterthought.
Data Protection
- ✓ Encryption at rest (AES-256 via PostgreSQL + pgcrypto)
- ✓ Encryption in transit (TLS 1.3 enforced via HSTS)
- ✓ Tenant isolation via Row Level Security on every table
- ✓ Cross-tenant isolation enforced at the database level, with application-layer authorization as a second check
- ✓ OAuth tokens and API keys encrypted with AES-256 before storage
- ✓ AI layer never processes or logs credentials
Authentication & Access
- ✓ OAuth 2.0 (Google, Microsoft)
- ✓ Multi-factor authentication (TOTP)
- ✓ Role-based access control (Owner, Admin, Member, Viewer)
- ✓ Session management with secure cookies
- ✓ Defense-in-depth: middleware + route-level auth verification
AI Safety
- ✓ Data grounding — AI-generated numbers are checked against source data before delivery
- ✓ Numeric consistency checks on mathematical relationships
- ✓ Confidence indicators on all data-backed responses
- ✓ Content accuracy gate on published marketing content
- ✓ Approval gates for high-risk actions (sends, deletions, financial changes)
- ✓ Full audit trail of all AI decisions and actions
- ✓ Observational language only — AI never prescribes, only observes
Infrastructure
- • Application: Railway (US)
- • Database: Supabase PostgreSQL (US West)
- • DNS & DDoS protection: Cloudflare
- • Automated daily backups with point-in-time recovery
- • Uptime monitoring with 5-minute check intervals
- • Error tracking and alerting via Sentry
Compliance
Current
Security headers (HSTS, CSP, etc.), RBAC, RLS, audit trails, AES-256 encryption, MFA, data export, right to deletion.
GDPR
Right to deletion and data export available. Data processed in the US under standard contractual clauses.
CCPA
Same provisions as GDPR: right to deletion, data export, no sale of personal information.
SOC 2
Planned. Timeline contingent on revenue milestone. Security controls documented and audit-ready.
Responsible Disclosure
We welcome responsible security research. If you discover a vulnerability:
- Email security@norvius.com with details
- Allow us 48 hours to acknowledge receipt
- Allow 90 days for remediation before public disclosure
We will not pursue legal action against good-faith security researchers who follow responsible disclosure practices.
Questions?
Contact us at security@norvius.com