Security is not a feature. It is the architecture
Every Norcube product is built with encryption and privacy as the default — not as a premium upgrade. The same protections apply to every user, from day one, at every scale.
What we will never do
These are engineering decisions built into the architecture — not policies that change with a new investor or quarterly target.
Never sell your data
Your data is yours. We do not monetize it, share it with third parties, or use it for anything other than running the service you signed up for.
Never track you
We collect what we need to run the service. Nothing more. No analytics on your content, no profiling, no behavioral data.
Never store plain text creds
Database passwords are encrypted with AES-256-GCM. API keys are hashed with HMAC-SHA256. This is the architecture, not a setting.
Security in practice
Credentials encrypted at rest
Sensitive credentials like database passwords are encrypted server-side using AES-256-GCM with AWS KMS for key management. They never exist in plain text in our storage.
API keys hashed, not encrypted
API keys are hashed with HMAC-SHA256 before storage. We never store the raw key — only the hash. Each key tracks creation date, last usage, and can be revoked instantly.
Isolated backup execution
Every backup job runs in a dedicated sandboxed task, provisioned on demand. It decrypts credentials in memory, runs the backup, and is destroyed. No shared resources between jobs or customers.
EU data processing
All infrastructure runs in AWS Frankfurt (eu-central-1). Your data is processed and stored within the European Union.
Encrypted in transit
All API traffic goes through AWS Elastic Load Balancer with TLS encryption. Database connections from backup tasks use encrypted channels.
Encrypted at rest
Stored data is protected by AWS-managed server-side encryption. Client-side archive encryption for backups is on our roadmap as a high priority.
No request body logging
We do not log request bodies. Your credentials, translations, prompts, and domain queries never appear in application logs.
Rate limiting
API endpoints are rate-limited to prevent abuse and protect service availability for all users.
Privacy & data protection
GDPR compliance
We process data lawfully, minimize what we collect, and store everything in the EU. We do not sell, share, or monetize your data.
Data export
Each product provides API access to your data. Backups download as standard gzip archives. Translations export as i18n JSON. Domain data is available via API.
Data deletion
You can delete your data from the dashboard or via API. Account deletion removes your data from our systems.
No certifications yet
We do not hold SOC 2, ISO 27001, or similar certifications at this time. As we grow, we plan to pursue formal compliance certifications.
If something goes wrong
Detection and containment
We monitor infrastructure for anomalies. If a security incident is detected, affected systems are isolated immediately to prevent further exposure.
User notification within 72 hours
If your data is affected by a breach, we notify you within 72 hours of confirmation — as required by GDPR. The notification includes what happened, what data was affected, and what we are doing about it.
Transparent post-mortem
After resolution, affected users receive a post-mortem explaining the root cause, timeline, impact, and what we changed to prevent recurrence.
Report a concern
Security concerns can be reported to [email protected]. We take every report seriously and respond promptly.
Questions about security?
We are happy to answer anything about how we protect your data. Reach out anytime.