Noru

Security at Noru

Official machine-readable policy: /.well-known/security.txt

Noru's security program is designed to protect customer data, support continuous compliance, and make responsible disclosure straightforward. If you believe you discovered a vulnerability, email security@noru.tech with clear reproduction steps. We acknowledge reports within 24 hours, complete initial triage within 3 business days, and aim for coordinated disclosure within 90 days.

Disclosure Timeline
24 hours
Acknowledgement
3 days
Initial triage
90 days
Coordinated disclosure
How It Works
Inbound

Vulnerability report

Clear reproduction details, affected assets, and impact indicators help us move faster.

Outbound

Coordinated remediation

We validate, scope, fix, and communicate through direct updates plus advisories when customers are affected.

Trust Resources

Encrypted intake available

PGP key published for confidential vulnerability submissions.

Machine-readable policy

security.txt, disclosure policy, advisories, and contact paths published from one surface.

Clear handling expectations

Researchers know what to expect on response, triage, and coordinated disclosure timing.

01

Governance

Security is built into how Noru operates

We maintain documented security, incident management, and business continuity practices, review access on a least-privilege basis, and use policy-driven controls to keep responsibilities clear as the platform evolves.

02

Core Controls

Technical and organizational safeguards work together

Our program includes RBAC, MFA for administrative access, secure development practices, vulnerability management, monitoring and alerting, and vendor due diligence for subprocessors and critical providers.

03

Transparency

Security information is accessible and actionable

We are deliberate about trust and transparency. Customers and researchers can review our disclosure policy, machine-readable security.txt file, advisories, encryption details, and contact paths from one place.

Program Design

How we think about security

Our approach combines governance, secure engineering, monitoring, resilience, and transparent disclosure. The goal is not just to document controls, but to make them operational and repeatable.

01

Limit access to people with a legitimate business need and review that access regularly.

02

Apply layered safeguards across infrastructure, product, and internal operations rather than relying on a single control.

03

Build security into development and operational processes so issues are found earlier and remediation is easier to track.

04

Keep the program observable and transparent through clear policies, contact paths, and published disclosure materials.

Reporting Flow

From report intake to coordinated disclosure

The reporting path is deliberately simple: submit a report, receive acknowledgement, move through validation and triage, then coordinate remediation and communication based on impact.

The objective is clarity for both customers and researchers. Fast intake matters, but so does predictable follow-through.

01

Report

security@noru.tech or encrypted report

02

Acknowledge

within 24 hours

03

Triage

within 3 business days

04

Coordinate

90 days

What helps us validate fast

  • Clear reproduction steps and impacted endpoints or workflows.
  • Evidence that distinguishes a real security boundary issue from expected behavior.
  • Contact details for follow-up while remediation is in progress.

Publication surfaces

Direct replies to reporters and affected customers
`/security/advisories` for published notices
Trust documentation and policy pages

Access Control

  • Role-based access control and least-privilege access patterns.
  • Multi-factor authentication for administrative access.
  • Periodic access reviews and authorization checks for sensitive systems.
  • Single sign-on support where available.

Data Protection

  • TLS for data in transit.
  • Encryption at rest for production data and backups.
  • Secure key management practices.
  • Logical tenant separation designed to prevent cross-customer access.

Monitoring and Resilience

  • Security logging, monitoring, and alerting for important systems.
  • Audit trails for administrative actions.
  • Documented incident response processes and breach notification paths.
  • Backup and disaster recovery measures that support service continuity.

Secure Delivery

  • Peer review and code review as part of normal engineering workflows.
  • Dependency scanning, vulnerability management, and security testing.
  • Network controls, patching, and environment hardening appropriate to the hosting environment.
  • Due diligence and contractual controls for subprocessors and other vendors.

Safeguards

Controls across product, infrastructure, and operations

Noru maintains administrative, physical, and technical safeguards designed to protect personal and customer data. These controls are reflected in our legal terms, disclosure processes, and trust documentation.

For customers performing vendor reviews, additional program detail is available through our Trust Center.

Data Handling

Regional processing and transfer controls

Noru's primary processing location is Sweden within the EEA. Limited sub-processing activities may involve the United States, and cross-border transfers are supported through contractual and legal transfer mechanisms where required.

Privacy Boundaries

Customer data handling is purpose-bound

We process data to provide and secure the service, maintain availability, prevent abuse, and support customer use of the platform. Customer data is not used to train LLMs for other customers.

Disclosure

Researchers and customers have a direct path to us

We publish a clear vulnerability disclosure policy, support encrypted reports, and use advisories and direct communication to coordinate remediation when issues affect customers.

Resources

Security program and reporting

Use these resources to review disclosure expectations, submit encrypted reports, follow advisories, or understand how we communicate about security issues.

Open

Disclosure Policy

Rules of engagement, safe harbor, and coordinated disclosure expectations.

Open

PGP Key

Current key status and how to send encrypted vulnerability reports.

Open

Hall of Fame

Acknowledgement page for security researchers who report valid findings.

Open

Security Advisories

Published security advisories and incident communication.