Security at Norivo
We deliver AI governance. We hold ourselves to the same standard we deliver for you. Here is how we protect your data, govern our own AI, and maintain trust.
Norivo Technologies Ltd is a UK-registered company. All customer data is processed in accordance with GDPR. A Data Processing Agreement (DPA) is available on request for all customers.
Infrastructure & Data Protection
Enterprise-grade infrastructure with encryption, isolation, and monitoring at every layer.
Hosting
Deployed on Vercel (frontend) and Neon (PostgreSQL). All infrastructure runs in EU/UK regions with SOC 2 Type II certified providers.
Encryption
TLS 1.3 in transit. AES-256 at rest for all customer data. Database connections encrypted end-to-end via connection pooling.
Authentication
Clerk authentication with MFA support, session management, and role-based access control. No passwords stored by Norivo.
Data Isolation
Every database query is scoped to orgId. Strict tenant isolation ensures no cross-organisation data access is possible.
Backups
Automated daily backups with point-in-time recovery. 30-day retention with geo-redundant storage.
Monitoring
Continuous uptime monitoring, error tracking, and performance alerting. Incident response procedures documented and tested.
Sub-Processors
Third-party services that process customer data on our behalf. All sub-processors maintain current security certifications.
| Provider | Purpose | Location | Certifications |
|---|---|---|---|
| Vercel | Application hosting and edge delivery | EU/US | SOC 2 Type II |
| Neon | PostgreSQL database hosting | EU | SOC 2 Type II |
| Clerk | Authentication and user management | US | SOC 2 Type II |
| Anthropic | AI processing (Nora AI Copilot) | US | SOC 2 Type II |
| Upstash | Redis caching and job queue | EU | SOC 2 Type II |
| Resend | Transactional email delivery | US | SOC 2 Type II |
| Stripe | Payment processing | EU/US | PCI DSS Level 1 |
| AWS S3 / Cloudflare R2 | File and evidence storage | EU | SOC 2 / ISO 27001 |
How We Govern Nora
We use our own platform to govern Nora AI. Here's what that means in practice.
No training on customer data
Nora uses Claude (Anthropic) as its foundation model. Customer data is never used to train or fine-tune any model. Anthropic's API does not use inputs for training.
Scoped context only
Nora only accesses data within the requesting customer's organisation. Cross-org data access is architecturally impossible due to orgId scoping.
Registered in our own VALID inventory
Nora is registered as an AI system in Norivo's own VALID Framework assessment with full risk classification and documentation, the same standard we deliver for your AI systems.
All outputs are advisory and human-reviewed
Nora generates policies, drafts questionnaire answers, and identifies gaps. Our governance specialists review and refine every output before it reaches you. No autonomous compliance decisions.
Operated by our team, not your team
Nora is part of our delivery toolkit. Customers do not interact with Nora directly. Our specialists do, on your behalf, governed by the controls above.
Compliance Roadmap
Our own compliance journey. We hold ourselves to the same standards we help our customers achieve.
EU AI Act Aligned
VALID Framework provides full EU AI Act coverage with cross-mapped controls
ISO 42001 Module
Full ISO 42001 module with VALID cross-mapping and gap analysis
GDPR Compliant
UK-registered company, EU data processing, DPA available on request
SOC 2 Type II
Coming SoonCertification in progress. Expected completion by end of 2026
ISO 27001
Coming SoonCertification planned following SOC 2 completion
Security Questions?
Request our Data Processing Agreement, security questionnaire responses, or schedule a security review call.