Trust · Security

Security at Nourva

How we protect your data, your account, and our infrastructure. Expands Sections 9.10 + 9.11 of the Terms.

Encryption

  • TLS 1.3 for all data in transit between desktop, web, and cloud.
  • AES-256-GCM at rest for sensitive cloud data.
  • On-device encryption (per-user vault) for the Memory database — your local memory never leaves your machine in plaintext.
  • End-to-end signed releases via Ed25519 for desktop auto-update integrity.

Authentication & Access

  • Passwords hashed with bcrypt or argon2 — never stored in plaintext.
  • Multi-factor authentication (TOTP) available on every account.
  • Single-device session enforcement: a successful login on a new device automatically invalidates the prior session.
  • Role-based access controls inside Nourva. Production access is logged and audited.

Infrastructure

  • Cloudflare Workers + Durable Objects + KV for the always-on bridge and global edge.
  • AWS-backed managed services for primary cloud workloads, with regular vulnerability scanning.
  • PostgreSQL with strict per-user isolation enforced at the query layer (Gateway-validated).
  • Production deploys go through automated tests and signed release artifacts.

Vulnerability Disclosure

  • Report security issues to [email protected]. We acknowledge within 72 hours.
  • We follow a 90-day responsible disclosure window before public details may be shared.
  • Researchers acting in good faith will not be subject to legal action for testing covered by these guidelines.
  • PGP key for encrypted reports will be published at /security/pgp.txt — request via email if needed.

Incident Response

  • Formal incident response procedures with on-call rotation.
  • Personal data breach notifications to supervisory authorities within 72 hours per GDPR Art. 33 and PDPL Art. 21.
  • Affected users are notified without undue delay where the risk to rights and freedoms is high (GDPR Art. 34).
  • Public statements, where appropriate, are posted on this page.

Compliance Posture

  • Designed to meet GDPR / UK GDPR / CCPA-CPRA / PDPL (Saudi Arabia) / EU AI Act Art. 50 transparency.
  • No-training commitment with all AI sub-processors — your prompts, files, and memory are never used to train models.
  • Sub-processors listed at /legal/sub-processors with 30-day change notice.
  • Annual security audits and penetration testing.

Found a vulnerability?

Report it to [email protected]. We acknowledge within 72 hours, fix critical issues quickly, and credit researchers who disclose responsibly.

© 2026 Nourva.