Normos.io

PRICING

Less than a consultant's week.
Running 365 days a year.

Manual compliance costs £20,000–£50,000 per cycle. Normos Starter is £9,600/year — and it never sleeps.

ISO 27001 + SOC 2 — both included, no per-framework fees
21 detectors · 5 domains
Zero raw data stored

PILOT

5 SLOTS ONLY

£0

90 days · no credit card required

Full platform access for 90 days in exchange for structured product feedback. Every feature, every detector, from day one. The conversion lever is time — not features.

  • All 21 detectors across 5 domains
  • Daily automated scanning at 02:00 UTC
  • ISO 27001 + SOC 2 evidence packages
  • Automated Assurance Letter PDF — board-ready
  • SHA-256 forensic hash chain on every scan
  • Auditor Guest View portal — token-gated
  • Unlimited user seats
  • 90-day scan history retention
  • Email support — direct founder access
  • Pilot Feedback Form required
Apply for Free Pilot

No credit card · No commitment · 5 slots remaining

STARTER

£9,600/yr

£800/month · annual contract

For UK SaaS teams preparing for ISO 27001 or SOC 2. One GitHub org, 3 seats, 12 months of forensic history. Everything you need for your first audit.

  • All 21 detectors across 5 domains
  • Daily automated scanning at 02:00 UTC
  • ISO 27001 + SOC 2 evidence packages
  • Automated Assurance Letter PDF — board-ready
  • SHA-256 forensic hash chain on every scan
  • Auditor Guest View portal — token-gated
  • 3 user seats included
  • Additional seats at £600/year each
  • 12 months scan history retention
  • Data export on request — 10 business days
  • Data deletion within 30 days of contract end
  • Email support — 2 business day response
  • 99% monthly availability target
  • Standard terms
Get in touch

ENTERPRISE

CUSTOM

£24k+/yr

annual contract · custom MSA

For teams with enterprise procurement requirements — and those who want to shape what gets built next. Custom contract, bespoke DPA, and first access to every Phase 2 feature as it ships.

  • Everything in Starter
  • Automated Assurance Letter PDF — board-ready
  • Unlimited user seats
  • Custom auditor token expiry
  • Custom scan history retention
  • Data export — 5 business days
  • Data deletion within 14 days of contract end
  • Email support — 1 business day response
  • Priority support queue
  • 99.5% monthly availability target
  • Custom MSA — bespoke contract and DPA
  • Priority access to Phase 2 features
  • Input into Phase 2 build order
  • Early access beta before general availability
Contact us
Note on competitor pricing: Vanta and Drata charge per compliance framework — a company pursuing both ISO 27001 and SOC 2 pays significantly more than their entry price. Normos includes both ISO 27001 and SOC 2 evidence packages in every tier at no additional cost. Competitor pricing figures are market estimates based on publicly available third-party research — neither Vanta nor Drata publish list prices.

COMPARE

Why Normos vs the alternatives

OptionCost
Manual consultant£20,000–£50,000/cycle
Vanta£8,000–£45,000+/year
Drata£6,000–£80,000+/year
Normos Starter£9,600/year · both frameworks

THE ROADMAP

Phase 2 is coming.
Enterprise customers go first.

Every feature below ships in Phase 2 — after our first paying customers and Seed raise. Enterprise customers get first access before general availability, and direct input into what gets built first based on their stack.

Phase 2

Seed raise · 12–18 months

GitLab integrationPhase 2
Multiple GitHub orgsPhase 2
SCIM universal directory syncPhase 2
HR integrations — HiBob, BambooHRPhase 2
Azure SQL Ledger notarisationPhase 2
ML-DSA post-quantum signingPhase 2
Real-time finding alertsPhase 2
Normos Trust Badge™Phase 2
Growth pricing tierPhase 2
Additional compliance frameworksPhase 3
Availability SLA note: Response times measured during UK business hours, Monday–Friday, excluding public holidays. Availability targets exclude outages caused by Vercel, Supabase, GitHub, and Cloudflare infrastructure. No financial remedies (service credits) in Phase 1 — introduced at Series A.

FAQ

Common questions

Why do pilot customers get all 21 detectors?

The conversion lever is time (90 days), not feature gates. Restricting detectors during a pilot produces incomplete feedback and creates a bait-and-switch perception. Paid value comes from contractual guarantees, permanent records, SLAs, and ongoing forensic evidence.

What happens at the end of the 90-day pilot?

We'll have a structured offboarding or conversion call. If you convert to Starter, your scan history and forensic hash chain are preserved. If you don't convert, all your data is deleted within 30 days per our DPA.

Is there a monthly payment option?

Starter is priced at £9,600/year (equivalent to £800/month) on an annual contract. Monthly billing is not available in Phase 1. Enterprise contracts are negotiated individually.

What GitHub permissions does Normos require?

Four OAuth scopes: read:user, read:org, repo, and admin:org. All read-only. admin:org is used solely to identify members without MFA via GitHub's filter=2fa_disabled endpoint. No write access. No code storage.

Why is ISO 27001 and SOC 2 both included at no extra cost?

Vanta and Drata charge per framework — adding ISO 27001 on top of SOC 2 can cost thousands more per year. We think that's wrong. Both frameworks share 80% of the same controls. We generate both evidence packages from the same scan. Charging twice for the same data is a tax on compliance, not a service.

When is the Growth tier available?

Growth requires multiple GitHub org support, which is a Phase 2 build. We won't launch a tier we can't technically fulfil. Phase 2 starts after our first paying customers and Seed raise.

What does priority Phase 2 access mean?

Enterprise customers get first access to every Phase 2 feature as it ships — GitLab integration, SCIM, HR integrations, Azure SQL Ledger — before general availability. You also get direct input into build order: your IdP, HR system, and cloud provider go to the top of the queue. You are not just buying a contract, you are shaping the product.

Can I cancel mid-contract?

Starter and Enterprise are annual contracts. We don't offer mid-contract cancellation in Phase 1. If your circumstances change, contact us — we'll handle it fairly. All your data is deleted within the DPA timelines on exit.

Ready to start?

Apply for a free 90-day pilot. 5 slots. Full access. No credit card required.

Apply for Phase 1 PilotAsk a question