Normos.io

TRUST CENTRE

Security, Privacy & Compliance

We are building the platform we would want to use ourselves. This page documents our security posture, data practices, and subprocessors — updated as we ship.

Last updated: 16 May 2026

346/346

Security Tests Passed

AES-256

Encryption Standard

Zero

Raw Data Stored

EU

Primary Data Location

Security Controls

MFA Enforced

LIVE

TOTP multi-factor authentication is required for all platform accounts from day one. No exceptions.

AES-256-GCM Encryption

LIVE

All OAuth tokens stored at rest are encrypted using AES-256-GCM. We never store plaintext credentials.

Zero Raw Data Storage

LIVE

We never store raw source code, commit history, user lists, or any customer business data. Only findings — the outputs of analysis — are persisted.

Row Level Security

LIVE

All database tables enforce Row Level Security. Customer data is isolated at the database level — no cross-tenant data access is possible.

Security Headers

LIVE

All responses include CSP, HSTS, X-Frame-Options, Referrer-Policy, and Permissions-Policy headers.

Rate Limiting

LIVE

All sensitive API endpoints are rate limited. Invite and scan endpoints are limited to 10 requests per hour per user.

Cloudflare Turnstile Bot Protection

LIVE

All authentication forms are protected by Cloudflare Turnstile to prevent automated credential stuffing attacks. Turnstile is part of the Cloudflare infrastructure already used for DNS, CDN, and WAF.

Audit Log

LIVE

All security-relevant actions are recorded in an immutable audit log with user, organisation, timestamp, and action details.

Security Testing

LIVE

346/346 security tests passed covering auth bypass, RLS bypass, API input validation, token forgery, and rate limiting.

Penetration Testing

PLANNED

Professional penetration test by a CREST-accredited firm is planned before first paying customer.

SOC 2 Type II for Normos

ROADMAP

Normos.io will pursue SOC 2 Type II certification for its own platform in Phase 2.

Azure SQL Ledger Notarisation

ROADMAP

Cryptographic notarisation of all findings on an immutable Azure SQL Ledger is coming in Phase 2.

Subprocessors

We use the following third-party processors to deliver the Normos.io platform. All processors are bound by appropriate Data Processing Agreements and are required to maintain security standards consistent with our own.

ProcessorDPA
SupabaseView
VercelView
ResendView
Cloudflare TurnstileView
GitHubView
CloudflareView
Amazon Web ServicesView

Full sub-processor details including 30-day change notification process: normos.io/subprocessors →

Data Processing

What We Collect

  • Account data — email address, encrypted password hash
  • Authentication data — MFA factors, session tokens
  • Integration data — OAuth tokens (encrypted at rest, AES-256-GCM)
  • Findings data — security findings generated from your connected systems
  • Audit log data — records of security-relevant platform actions
  • Usage data — standard web server logs

What We Never Store

  • Raw source code from your repositories
  • Raw commit history or pull request content
  • Raw user lists from your identity providers
  • Raw cloud infrastructure configuration data
  • Any customer business data
  • Plaintext credentials or OAuth tokens

Retention Periods

  • Account and profile data — retained while account is active
  • Security findings and scan history — default 12 months, configurable per contract
  • Audit logs — retained for 12 months
  • OAuth tokens — deleted immediately on disconnection
  • All data — deleted within 30 days of account closure (Starter), 14 days (Enterprise)
  • Deletion confirmed in writing to the customer within 35 days of account closure

Data Portability and Export

  • All findings, scan history, and audit logs are exportable on request in JSON format
  • PDF evidence packages are available at any time from your Security Command Centre
  • Export requests fulfilled within 10 business days (Starter) or 5 business days (Enterprise)
  • No proprietary lock-in format — all exports are machine-readable JSON or PDF
  • To request an export, email [email protected] with your organisation name

Account Deletion

  • Submit a written deletion request to [email protected]
  • All organisation data is permanently deleted within 30 days (Starter) or 14 days (Enterprise)
  • Deletion covers all findings, scan runs, integrations, OAuth tokens, audit sessions, and user accounts
  • Written confirmation of deletion is sent to the customer email on record
  • Encrypted backup systems purge deleted data within 30 days of deletion

Compliance Status

ICO Registration (UK)

LIVE

Registered with the Information Commissioner's Office (ICO) under registration number ZC158944. Normos Technologies Ltd, Company No. 17245340.

UK GDPR

LIVE

Compliant with UK GDPR requirements including lawful basis, data minimisation, and subject rights

Data Protection Act 2018

LIVE

Compliant with the UK Data Protection Act 2018

ISO 27001 for Normos

ROADMAP

Normos.io will pursue ISO 27001 certification for its own platform in Phase 2

SOC 2 Type II for Normos

ROADMAP

SOC 2 Type II audit planned for Phase 2 when customer base justifies it

EU AI Act

ROADMAP

ISO 42001 AI Governance framework coming in Phase 2 — designed to be EU AI Act compliant by architecture

Security Contact

Security Issues

Report vulnerabilities or security concerns. We aim to respond within 24 hours.

[email protected]

Privacy Requests

Exercise your data rights — access, erasure, portability. Export your data in JSON or PDF at any time. Deletion confirmed in writing within 35 days of account closure. Contact [email protected].

[email protected]

DPA Requests

Request a Data Processing Agreement or ask questions about our data practices.

[email protected]