Noru

Privacy · Data protection at scale

Privacy records that maintain themselves.

A living record of processing that updates as your systems change — instead of a spreadsheet you rebuild before every audit. Noru derives your records of processing from the systems that actually handle personal data: annotated in code, pushed from CI, enriched by AI, governed by your privacy team.

Request a demoExplore the platform

The way this usually goes

Questionnaires capture what people remember, not what systems do — and they're stale before the quarter ends.

Legal bases, retention and transfer safeguards live in a spreadsheet nobody trusts when a regulator or customer asks.

Every new feature ships processing changes that privacy hears about months later, if at all.

Who it's for

One system, every stakeholder

Privacy & DPO

Own an Article 30 register that is always current, with field-level lineage you can defend to any regulator.

Engineering

Annotate once in code and CI keeps the register in sync — no quarterly questionnaires.

Legal & compliance

Legal bases, retention and transfers reasoned per activity — drafted by AI, approved by you.

Leadership

Privacy posture visible next to risk, ready for regulators and enterprise customers.

How it works

What Noru does instead

01

Derived from code, not memory

Engineering annotates data categories, uses and subjects in fideslang manifests. CI pushes them to Noru, which materializes systems, datasets and processing activities — with field-level granularity and change history.

  • Fideslang taxonomy: 40+ data categories out of the box
  • Immutable version history with change detection on every push
  • Deep links from each record back to the commit that introduced it

02

AI-enriched, human-approved

Noru drafts the legal basis, retention reasoning and technical measures for each activity from its code context. Your privacy team reviews, accepts or dismisses — nothing publishes itself.

  • Suggested legal bases and retention rules per activity
  • Transfer detection with safeguard tracking — SCCs, adequacy, BCRs
  • Technical and organizational measures linked to real controls

03

Assessments triggered when they should be

When a manifest introduces special-category data or a cross-border transfer, Noru opens a DPIA automatically — before the feature ships, not after the regulator asks.

  • Auto-triggered GDPR DPIAs and US state assessments
  • Outcomes tracked: proceed, mitigate, consult authority
  • Mitigations land in the risk register, linked to controls

04

An explorable data map

Systems, datasets and processing activities render as an interactive map your DPO can actually navigate — and your Article 30 register exports straight from it.

  • Live graph of systems → datasets → processing activities
  • Article 30 register that stays current on its own
  • Doubles as a US state-law data inventory

What's included

Platform modules working together

This solution runs on the same system of record as everything else — add modules later without re-platforming.

Privacy Automation

Map every data flow, continuously

Data maps, records of processing and impact assessments derived from the systems that hold the data and enriched by AI.

Data Sources

Connect once, sync forever

20+ integrations — AWS, GCP, Azure, GitHub, Slack, Entra ID and more — feeding evidence in real time.

Risk Register

Know your risk before anyone asks

A live register linked to security findings, controls and treatments — not a yearly workshop artifact.

Policies

Keep every policy acknowledged

AI-assisted drafting, versioning, approvals and acknowledgements, mapped to the controls they satisfy.

Works with

  • GitHub
  • GitLab
  • AWS
  • GCP
  • Databricks
  • more

Request a demo

See it on your own data.

A walkthrough tailored to this use case, with your questions answered by practitioners.

  • 45 minutes, tailored to the frameworks and use cases you care about
  • Answers from practitioners, not a sales script
  • Leave with a concrete rollout plan — or a clear no-fit

We respond within one business day. No mailing lists, no spam.

FAQ

Frequently asked questions

How do processing activities get into Noru?

Engineering teams annotate data categories, uses and subjects in fideslang YAML manifests that live next to the code. A CI step pushes the manifest to Noru on every change, and Noru materializes systems, datasets and processing activities from it — with full version history.

We already have a records-of-processing spreadsheet. Can we import it?

Yes. You can create and edit processing activities manually, so existing records can be migrated and then progressively backed by manifests as teams adopt the annotation workflow.

What does the AI actually do — and can we trust it?

The AI drafts legal bases, retention reasoning and applicable safeguards from each activity's code context and system description. Every suggestion is marked as a draft until a human accepts or dismisses it. Nothing enters your official register without review.

Does this cover US state privacy laws too?

Yes. The same inventory doubles as a data map for US state laws, and assessments support US state DPIA requirements alongside GDPR.

Related solutions

AI governance · For AI-native companies

AI Governance

Learn more

Vendors · TPRM

Third-Party Risk Management

Learn more