Security Statement
This document describes the technical and organisational security measures we implement to protect the Noryn platform and the personal data processed within it, as required by Article 32 UK GDPR.
1. Encryption
1.1 Data in transit
- All connections to the platform use TLS 1.3 (minimum TLS 1.2)
- HTTP Strict Transport Security (HSTS) is enforced
- Certificates are managed by Vercel with automatic renewal
1.2 Data at rest
- Database storage is encrypted at rest using AES-256 (Supabase default)
- OAuth tokens and integration credentials are additionally encrypted at the application layer using AES-256-GCM before storage
- Backups are encrypted using the same mechanisms
2. Access Control
- Role-based access control (RBAC): Customers have roles within their organisation (Owner, Admin, Member). Admin and platform staff have separate elevated roles.
- Row-Level Security (RLS): Every database table enforces RLS policies ensuring customers can only access their own organisation's data — isolation is enforced at the database level, not just the application layer.
- Service role isolation: The Supabase service role key (which bypasses RLS) is used only in server-side code; it is never exposed to the client or to customers.
- MFA for admin accounts: Platform admin accounts require multi-factor authentication.
- Principle of least privilege: Staff access is scoped to what is necessary for their role. Production database access requires justification and is logged.
3. Tenant Data Isolation
Each customer organisation's data is isolated from all others via database-level RLS policies. Cross-tenant data access is not possible through the application layer. The only mechanism that can access data across tenants is the service role, used only in controlled server-side operations.
4. Backups and Recovery
- Supabase performs continuous backups of the database
- Point-in-time recovery is available (retention period per Supabase plan)
- Backup restoration is tested periodically
5. Sub-processor Security
| Sub-processor | Security certifications |
|---|---|
| Anthropic | SOC 2 Type II — see trust.anthropic.com |
| Supabase | SOC 2 Type II — see security.supabase.com |
| Stripe | PCI DSS Level 1, SOC 2 Type II — see stripe.com/docs/security |
| Vercel | SOC 2 Type II — see vercel.com/security |
| Resend | SOC 2 Type II — see resend.com/security |
6. Incident Response
6.1 Detection
We monitor platform logs and error rates for anomalies. Security events are reviewed by the platform team. Critical alerts trigger immediate escalation.
6.2 Breach notification
In the event of a personal data breach:
- We will assess the breach within 24 hours of detection
- We will notify affected Customers within 48 hours of becoming aware
- We will notify the ICO within 72 hours where the breach poses a risk to individuals (as required by UK GDPR Article 33)
- We will notify affected data subjects where the breach poses a high risk to their rights and freedoms (Article 34)
- A full incident report will be provided to affected Customers within 14 days of resolution
6.3 Incident logging
All security incidents are logged in our internal incident tracker with timeline, scope, root cause, and remediation actions. Records are retained for 6 years.
7. Vulnerability Disclosure
If you discover a security vulnerability in the platform, please report it responsibly:
- Email: security@norynsystem.com
- Include: description of the vulnerability, steps to reproduce, potential impact
- Do not exploit the vulnerability or access data belonging to other customers
- We will acknowledge reports within 48 hours and keep you updated on remediation progress
- We will not take legal action against security researchers acting in good faith
8. Audit Logs
All significant platform actions (employee configuration changes, integration connections, admin actions, data access by staff) are recorded in an immutable audit log retained for 24 months. Customers can request their organisation's audit log through the privacy requests tool at /dashboard/privacy/requests.
9. Secure Development
- Code is reviewed before deployment
- Dependencies are monitored for known vulnerabilities
- Production deployments go through automated testing
- Secret management: all credentials are stored as environment variables, never hardcoded
10. Certifications Roadmap
We intend to pursue SOC 2 Type II certification as we scale. Until that certification is obtained, this Security Statement and our sub-processors' certifications serve as the primary security documentation. Enterprise customers may request a security questionnaire by emailing security@norynsystem.com.
Noryn · Noryn System Ltd · ICO Reg [ICO reg. no.] · privacy@norynsystem.com