Security is not a feature. It is the architecture
Every Norcube product is built with encryption and privacy as the default — not as a premium upgrade. The same protections apply to every user, from day one, at every scale.
What we will never do
These are engineering decisions built into the architecture — not policies that change with a new investor or quarterly target.
Never sell your data
Your data is yours. We do not monetize it, share it with third parties, or use it for anything other than running the service you signed up for.
Never track you
We collect what we need to run the service. Nothing more. No analytics on your content, no profiling, no behavioral data.
Never store plain text creds
Database passwords are encrypted with AES-256-GCM. API keys are hashed with HMAC-SHA256. This is the architecture, not a setting.
Security in practice
Credentials encrypted at rest
Sensitive credentials like database passwords are encrypted server-side using AES-256-GCM with AWS KMS for key management. They never exist in plain text in our storage.
API keys hashed, not encrypted
API keys are hashed with HMAC-SHA256 before storage. We never store the raw key — only the hash. Each key tracks creation date, last usage, and can be revoked instantly.
Isolated backup execution
Every backup job runs in a dedicated sandboxed task, provisioned on demand. It decrypts credentials in memory, runs the backup, and is destroyed. No shared resources between jobs or customers.
EU data processing
All infrastructure runs in AWS Frankfurt (eu-central-1). Your data is processed and stored within the European Union.
Encrypted in transit
All API traffic goes through AWS Elastic Load Balancer with TLS encryption. Database connections from backup tasks use encrypted channels.
Encrypted at rest
Stored data is protected by AWS-managed server-side encryption. Client-side archive encryption for backups is on our roadmap as a high priority.
No request body logging
We do not log request bodies. Your credentials, translations, prompts, and domain queries never appear in application logs.
Rate limiting
API endpoints are rate-limited to prevent abuse and protect service availability for all users.
Privacy & data protection
GDPR compliant
We process data lawfully, minimize what we collect, store everything in the EU, and never sell it. Read the privacy policy.
Privacy policyCustomer DPA available
Our Data Processing Agreement is public and auto-applies to every customer. Signed copies available on request.
Read the DPATransparent subprocessors
Every third party that processes customer data is listed publicly with what they see and where they are.
See the listAI Act ready
We use AI only as a deployer (via OpenAI). Outputs are marked. Your content is never used to train external models.
On the certifications roadmap
We do not yet hold SOC 2 or ISO 27001 — we are building the controls first. We will pursue audits when customer demand triggers them.
Trust centerIf something goes wrong
Detection and containment
We monitor infrastructure for anomalies. If a security incident is detected, affected systems are isolated immediately to prevent further exposure.
User notification within 72 hours
If your data is affected by a breach, we notify you within 72 hours of confirmation — as required by GDPR. The notification includes what happened, what data was affected, and what we are doing about it.
Transparent post-mortem
After resolution, affected users receive a post-mortem explaining the root cause, timeline, impact, and what we changed to prevent recurrence.
Report a concern
Security concerns can be reported to [email protected]. We take every report seriously and respond promptly.
Questions about security?
We are happy to answer anything about how we protect your data. Reach out anytime.