Norma
Trust

Security and data handling

Norma is built to handle firm financial, project, and contract information with clear workspace boundaries, scoped AI usage, and transparent data practices.

Scope

What Norma protects

Norma is built for the kinds of information architecture and design firms already keep in spreadsheets, inboxes, and disconnected tools. These are the categories the product is designed to treat as sensitive within a firm workspace.

  • Contracts and scopes
  • Financial reports
  • AR/AP and cash flow data
  • Pipeline and backlog data
  • Project budgets and staffing context
  • Valuation inputs and assumptions
  • Workspace conversations and uploaded files
Boundaries

Workspace separation

Norma is designed so firm data is processed in scoped workspace context and is not shared across customer workspaces. API requests that touch firm data are gated by workspace membership; database access is scoped to the active workspace, with isolation enforced in code and covered by automated tests on deploy.

Within a workspace, role-based access separates admins from members. Admins can invite users, adjust permissions, and remove data. Members use the product without changing workspace structure. The roles are intentionally simple.

Access

Authentication and access

Sign-in is email and password. Passwords are hashed with bcrypt and are never stored in plaintext or in a recoverable form.

Login attempts are rate-limited. After repeated failures from a given IP-and-email pair within a short window, the account is temporarily locked at the application layer to reduce credential-stuffing risk.

Sessions use JSON Web Tokens with a limited lifetime. Two-factor authentication is not available in the product today; it is planned. Single sign-on is also planned. Firms with hard requirements in these areas should talk to us before a broader rollout.

Infrastructure

Storage and transport

Where data is stored

Each customer operates in its own workspace. Uploaded files, metrics, conversation history, and analysis outputs are scoped at the database layer. Reads and writes go through workspace authorization checks.

The production database is PostgreSQL, hosted on Railway, with encryption at rest provided by the hosting environment. Uploaded files are stored within that same environment (database BLOB storage and filesystem as appropriate).

Norma does not currently offer a separate customer-managed encryption layer on top of the platform default. Firms with stricter requirements should ask us directly.

Data in transit

Connections to Norma (marketing site, application, and API) use HTTPS with TLS at the edge. Norma does not operate a plain-HTTP version of the product for firm data. Connections from Norma to upstream services (such as AI APIs and email) also use HTTPS.

Traffic between Norma's own services runs within the hosting provider's environment; cross-region and external paths are encrypted in transit.

Models

AI provider usage

Norma's reasoning layer calls external model providers (including Anthropic and OpenAI) through standard commercial API integrations. Only the inputs required for a given task are sent—such as a specific question, relevant metrics, contract excerpts, or summaries—not full database dumps or every stored file on each request.

Context is scoped to the active workspace. Norma is designed so firm data is processed in that scoped context and is not shared across customer workspaces.

Whether and how provider-side systems retain or use API payloads is governed by each provider's published terms and policies, which can change. Firms should review the provider's current documentation for training, logging, and retention commitments that apply to API usage.

Norma uses AI to reason over your firm's workspace data to produce answers for users in that workspace. It does not mix one customer's content into another's workspace.

Lifecycle

Data deletion and control

When a user deletes an uploaded file, file content is removed from storage. A soft-deleted database record may remain so audit trails stay coherent for work that referenced the file (for example analyses or memos). The underlying file content is gone.

Conversations and chat history are hard-deleted on user request, without retaining conversation content afterward.

If a firm ends its relationship with Norma, the workspace is decommissioned and underlying data is removed within thirty days. Firms should export anything they need to keep before closure.

Posture

Current compliance posture

As an early-stage product, Norma does not yet claim enterprise compliance certifications such as SOC 2 or ISO 27001. The current posture is designed for small and mid-sized firms that need practical safeguards, clear workspace boundaries, and transparent handling of firm information.

Norma relies on a small set of infrastructure and service providers (for example hosting, AI APIs, transactional email, and privacy-oriented marketing analytics on this site). Each publishes its own security and privacy documentation, which your firm can review directly.

  • No SOC 2 attestation yet
  • No ISO 27001 certification yet
  • No formal third-party security audit yet
  • Two-factor authentication: planned, not in product today
  • Single sign-on: planned

If you need controls that are not shipped yet, contact us before a broad rollout—we will be direct about what is in place and what is on the roadmap.

Vulnerability reports in good faith: security@tal.design

Questions about data handling?

If your firm needs to understand how Norma handles uploaded files, workspace data, or AI usage before getting started, contact us.

hello@tal.design