Your data is your competitive advantage
Security by Architecture.
Not by Afterthought.
Every layer of Noria is designed to protect your commercial intelligence. EU-hosted. AES-256 encrypted. Row-level isolated. GDPR compliant from day one.
AES-256
Encryption Standard
EU
Data Residency
99.9%
Uptime SLA
Defense in depth
Five Layers. Zero Assumptions.
Security is not a feature. It is the architecture itself. Every request passes through five distinct protection layers before reaching your data.
Compliance Layer
GDPR, DPP, AuditGDPR data export/delete, audit logging, DPP readiness, data processing agreements.
Infrastructure Layer
EU-hosted, redundantFrankfurt primary, Amsterdam failover, Supabase PostgreSQL, point-in-time recovery.
Encryption Layer
AES-256, TLS 1.3At-rest encryption, in-transit encryption, encrypted backups, signed URLs.
Authentication Layer
MFA, RBAC, sessionsMulti-factor auth, role-based access, 60-min session timeout, IP whitelist, rate limiting.
Application Layer
RLS, tenant isolationRow-level security on all tables, cryptographic tenant separation, zero cross-tenant leakage.
Data protection
Six Pillars of Protection.
Every capability is active in production today. No roadmap promises. No coming-soon disclaimers.
Multi-Tenant Isolation
Row-Level Security (RLS) enforced on every table. Your data is cryptographically separated from other tenants at the database level. Zero cross-tenant data leakage -- enforced by PostgreSQL, not application code.
Authentication and Access
Multi-factor authentication with backup codes. Role-based access control across four tiers: Admin, Manager, Operator, Viewer. Session timeout after 60 minutes of inactivity. Rate limiting at 10 failed attempts per 15-minute window. IP whitelist capability for enterprise clients.
Encryption at Every Layer
AES-256 encryption at rest for all stored data. TLS 1.3 for all data in transit. Encrypted database backups with point-in-time recovery. Secure file storage with time-limited signed URLs -- no permanent public links to sensitive documents.
Immutable Audit Trail
Three dedicated audit log tables tracking all data modifications. Every change records who, what, when, and from where. Audit records are immutable -- they cannot be edited or deleted, even by administrators. Export audit logs for external compliance review.
GDPR Compliance
Full data export on request -- complete tenant data package delivered within 72 hours. Data deletion on request with right-to-be-forgotten enforcement. Privacy by design architecture. Data processing agreements available for all enterprise clients. EU data residency guaranteed.
Business Continuity
Automated daily backups with 30-day retention. Point-in-time recovery to any second within the retention window. Disaster recovery with EU failover from Frankfurt to Amsterdam. 99.9% uptime SLA on Enterprise tier.
Compliance posture
Compliance Status.
Transparent about what is certified, what is in progress, and what is planned.
GDPR Compliant
Active
Full data subject rights. EU hosting. DPA available.
DPP Ready
Active
Digital Product Passport framework built in.
EU Hosted
Active
Frankfurt primary. Amsterdam failover.
SOC 2 Type II
Planned
Service organization controls audit.
Under the hood
Infrastructure.
Where your data lives, how it is processed, and what protects it.
Hosting
Primary
EU West (Frankfurt, Germany)
Failover
EU West (Amsterdam, Netherlands)
CDN
Global edge network for static assets
Sovereignty
No data leaves the EU unless explicitly configured
Database
Engine
PostgreSQL (Supabase managed)
Schema
71 tables with RLS policies
Recovery
Point-in-time recovery
Analytics
Read replicas for reporting workloads
Edge Functions
Count
34 serverless edge functions
Region
Deployed at EU edge locations
Isolation
Isolated execution per request
State
No persistent state between invocations
API protection
Secure by Default.
Open by Design.
Noria exposes a REST API and webhook system for enterprise integrations. Every endpoint is protected by multiple authentication layers. Every request is logged, rate-limited, and scoped to the minimum required permission.
Authentication
OAuth 2.0 with Supabase Auth
Webhook Signing
HMAC-SHA256 verification on all outbound webhooks
Rate Limiting
100,000 calls/day on Enterprise tier
Scoped Keys
Read/write permissions configurable per module
Request Logging
Full request/response logging with IP tracking
CORS Protection
Domain whitelist enforced on all API endpoints
Operational security
How We Protect Your Data Every Day.
Security is a process, not a product. These are the practices we follow continuously.
Technical Practices
- Regular dependency audits (automated via CI/CD)
- Penetration testing (annual, third-party)
- Vulnerability disclosure program
- Automated security scanning on every deployment
- Database migration review for RLS impact
Organizational Practices
- Security incident response plan
- Employee security training
- Code review requirements (all PRs reviewed)
- Principle of least privilege for team access
- Encrypted internal communications
Your compliance requirements
Questions About Security?
Our security team is available to discuss your specific compliance requirements, conduct security reviews, and provide detailed documentation for your procurement process.