Security at Norvius

Built with security as a foundation, not an afterthought.

Data Protection

  • Encryption at rest (AES-256 via PostgreSQL + pgcrypto)
  • Encryption in transit (TLS 1.3 enforced via HSTS)
  • Tenant isolation via Row Level Security on every table
  • Cross-tenant isolation enforced at the database level, with application-layer authorization as a second check
  • OAuth tokens and API keys encrypted with AES-256 before storage
  • AI layer never processes or logs credentials

Authentication & Access

  • OAuth 2.0 (Google, Microsoft)
  • Multi-factor authentication (TOTP)
  • Role-based access control (Owner, Admin, Member, Viewer)
  • Session management with secure cookies
  • Defense-in-depth: middleware + route-level auth verification

AI Safety

  • Data grounding — AI-generated numbers are checked against source data before delivery
  • Numeric consistency checks on mathematical relationships
  • Confidence indicators on all data-backed responses
  • Content accuracy gate on published marketing content
  • Approval gates for high-risk actions (sends, deletions, financial changes)
  • Full audit trail of all AI decisions and actions
  • Observational language only — AI never prescribes, only observes

Infrastructure

  • Application: Railway (US)
  • Database: Supabase PostgreSQL (US West)
  • DNS & DDoS protection: Cloudflare
  • Automated daily backups with point-in-time recovery
  • Uptime monitoring with 5-minute check intervals
  • Error tracking and alerting via Sentry

Compliance

Current

Security headers (HSTS, CSP, etc.), RBAC, RLS, audit trails, AES-256 encryption, MFA, data export, right to deletion.

GDPR

Right to deletion and data export available. Data processed in the US under standard contractual clauses.

CCPA

Same provisions as GDPR: right to deletion, data export, no sale of personal information.

SOC 2

Planned. Timeline contingent on revenue milestone. Security controls documented and audit-ready.

Responsible Disclosure

We welcome responsible security research. If you discover a vulnerability:

  1. Email security@norvius.com with details
  2. Allow us 48 hours to acknowledge receipt
  3. Allow 90 days for remediation before public disclosure

We will not pursue legal action against good-faith security researchers who follow responsible disclosure practices.

Questions?

Contact us at security@norvius.com