norppa.io

Security

Last updated: 24 April 2026

This page describes how norppa.io is built and operated from a security perspective. We believe customers evaluating a security intelligence platform deserve a clear, honest picture — not marketing language.

Questions or concerns: [email protected]

1. Assessment Methodology

norppa.io generates security findings entirely from publicly available information. We query open sources such as DNS records, public certificate transparency logs, internet-wide scan databases, threat intelligence feeds, data breach repositories, and paste sites.

We do not:

  • Access or log into any of your suppliers' systems
  • Require any integration, agent, or credential from you or your suppliers
  • Store credentials, API keys, or tokens belonging to assessed organisations
  • Establish persistent connections to assessed targets
  • Perform any action that requires authorisation from the assessed organisation

External port exposure checks are conducted against publicly routable IP addresses only, using the same vantage point available to any internet observer.

2. Your Data

2.1 Data residency

All customer data — supplier lists, findings, reports, and account information — is stored on infrastructure located within the European Union. Core data resides in Finland. No customer data is transferred outside the EU.

2.2 Customer isolation

Every record in our database carries a customer_id that is enforced at the application level. It is architecturally impossible for one customer to read another customer's suppliers, findings, or reports.

2.3 Encryption

All data in transit is protected with TLS. Data at rest is encrypted by the underlying storage infrastructure. PDF reports are encrypted during storage and only decrypted on delivery to the authenticated session that requested them.

3. Infrastructure Security

Our assessment infrastructure operates from stable, known external IP addresses. It does not accept inbound connections from the internet. Administrative interfaces are not publicly accessible.

We apply the principle of least privilege throughout: each service component has access only to what it needs to perform its function. Credentials are rotated on a scheduled basis and are never embedded in source code.

4. Access Controls

  • Production systems are accessible only via authenticated sessions with short-lived tokens.
  • Personnel access to customer data is logged and limited to what is necessary for support and operations.
  • Production access is restricted to a named set of operators directly responsible for running the service.

5. Ready to subscribe? Your procurement checklist

No lengthy security questionnaire required. Here is everything you need before subscribing — available on day one, no negotiation needed:

  • EU-incorporated, EU-jurisdiction — Norteris Oy is a Finnish company subject to Finnish and EU law only. No exposure to extraterritorial data access regimes.
  • GDPR-compliant DPA (Art. 28) — included with every subscription, ready to sign
  • Privacy Policy — GDPR-compliant, EU data residency, no third-country transfers
  • Sub-processor list — available on written request to [email protected]
  • Breach notification — within 48 hours to affected customers, in writing
  • No agents, no integration, no IT project — add a domain name and you are monitoring within minutes
  • Cancel anytime — monthly plans, 30 days notice, no lock-in

norppa.io is not currently certified to ISO 27001 or SOC 2. If your procurement process requires a written security questionnaire response, contact [email protected] and we will respond promptly.

6. Responsible Disclosure

If you discover a security vulnerability in the norppa.io platform, please report it to [email protected] with a description of the issue and steps to reproduce it. We will acknowledge receipt within 2 business days and aim to resolve confirmed issues within 30 days. We do not operate a public bug bounty programme at this time.

Please do not test for vulnerabilities against our production systems without prior written consent.

7. Contact

Security enquiries and vulnerability reports: [email protected]

General enquiries: [email protected]