← Back to NorvenEspañol

Security and data privacy

Honest summary of what we do today with your data and what we don't have (yet). Last updated: April 2026.

Before you put your operational data into another tool you want to know exactly how it's handled. This page lists every control we have in production today. If you need additional depth for a procurement process, write to hola@mgmautomations.es.

1. Hosting and encryption

  • Data hosted in the European Union. The whole stack (application + PostgreSQL database) runs on Railway with data physically located in the EU. This satisfies GDPR localisation requirements out of the box, with no additional Standard Contractual Clauses (SCCs) needed for European customers.
  • Encryption in transit. All traffic is HTTPS with HSTS preload enabled in production. Browsers refuse any HTTP fallback.
  • Encryption at rest. Database and photo storage (Cloudflare R2) are encrypted at the provider level with AES-256.
  • Strict security headers. Content Security Policy, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy and Permissions-Policy are applied to every response to mitigate XSS, clickjacking and data exfiltration.

2. GDPR: your rights as the controller

In the contractual relationship with Norven, your organisation is the controller of personal data uploaded to the platform (employees, end customers, inspection subjects). Norven acts as the processor and handles that data on your instructions. This is documented in our Data Processing Agreement (DPA), an Article 28 GDPR template downloadable without an account.

  • Right of access and portability. Any user can export their full data as JSON from Settings → Data & Privacy. The organisation owner can additionally generate a ZIP with ALL organisation data (Art. 20 GDPR).
  • Right to erasure. Account deletion uses soft-delete with permanent purge after 30 days. Data becomes inaccessible immediately.
  • Audit log. Every relevant action (signatures, report generation, photo access, template changes) is recorded with timestamp, user, IP and user-agent.
  • Breach notification. If a security breach occurs, the affected organisation will be notified within 72 hours, per Art. 33 GDPR.
  • Documented sub-processors. The full list of sub-processors (Clerk, Stripe, Cloudflare, OpenAI, Resend, Sentry, Railway, Anthropic) is in the DPA.

3. Vendors with recognised certifications

Norven relies on vendors that already hold the certifications an enterprise buyer recognises. The most sensitive areas (authentication, payments, infrastructure) are covered by external audits.

  • Authentication: Clerk — SOC 2 Type II, GDPR. Norven never stores passwords.
  • Payments: Stripe — PCI DSS Level 1. Norven never sees or stores card numbers.
  • App and DB hosting: Railway — EU region, SOC 2 Type II.
  • Photo storage: Cloudflare R2 — SOC 2 Type II, ISO 27001.
  • Transactional email: Resend — SPF/DKIM/DMARC configured on the sending domain.
  • AI photo analysis: OpenAI (GPT-4o) — API data is contractually excluded from model training.

4. Integrity of inspection reports

Every inspection PDF that Norven generates includes a SHA-256 hash of its content in the footer plus a link to norven.io/verify. Anyone who receives the report (end customer, auditor, regulator) can verify on the public verification page that the document was issued by Norven and has not been modified afterwards.

Signatures within each inspection are recorded with full metadata (name, role, IP, user-agent and, if the inspector permits, GPS coordinates) to support traceability under eIDAS (Regulation EU 910/2014, simple electronic signatures, Art. 3.10).

5. What we don't have yet (transparency)

We'd rather be straight than fake what we're not. These certifications / controls are not yet in place and are on the roadmap to be activated when commercial demand justifies it:

  • ISO 27001. On the roadmap. We will pursue it when a customer that requires it contractually signs with us. If that's your case, tell us and we'll accelerate.
  • Norven's own SOC 2 Type II (the underlying vendors already hold it). Same criterion as ISO 27001.
  • Enterprise SSO (SAML/Okta/Azure AD). Available on demand from the Custom plan onwards.
  • Annual external pentest. Planned for when we start onboarding mid-market accounts.

6. Your DPO or security team wants more detail

These documents are ready to send if you are closing a contract with us:

Questions about this policy? Contact us at hola@mgmautomations.es