Unorma

Legal

Security at Unorma

An overview of how we protect the data you trust us with — infrastructure, encryption, access controls, and how to report a concern.

Last updated: July 5, 2026

Compliance data is sensitive by nature. This page summarizes the practices we follow to protect it. If you need more detail — for a vendor security review or procurement process — email security@unorma.com and we’ll share our latest documentation under NDA where appropriate.

1. Infrastructure & Hosting

The Unorma platform runs on reputable cloud infrastructure with network segmentation, firewalls, and isolated environments separating production, staging and development. Infrastructure changes go through code review and access-controlled deployment pipelines.

2. Encryption

  • Data in transit is encrypted using TLS.
  • Data at rest is encrypted using industry-standard encryption.
  • Secrets and credentials are stored in dedicated secrets-management systems, not in source code.

3. Access Controls

  • Role-based access control, scoped to the minimum access needed for each function.
  • Multi-factor authentication required for internal access to production systems.
  • Access to customer data by Unorma staff is logged and reviewed periodically.
  • Access is revoked promptly when an employee changes roles or leaves the company.

4. Application Security

  • Peer code review is required before changes reach production.
  • Automated dependency and vulnerability scanning across our codebase.
  • Separate environments for development, staging and production, with production data restricted from lower environments.
  • Regular review of third-party libraries and services for known vulnerabilities.

5. Payment Security

All payments are processed by Stripe, Inc., a PCI-DSS Level 1 certified payment processor — the highest level of certification available in the payments industry. Unorma never receives, transmits, or stores full card numbers; card data is entered directly into Stripe-hosted fields and handled entirely within Stripe’s certified environment.

6. Backups & Business Continuity

Customer data is backed up on a regular schedule, with backups stored securely and separately from production systems, so that data can be restored in the event of an incident or infrastructure failure.

7. Monitoring & Incident Response

We monitor production systems for anomalous activity and maintain an internal incident response process to investigate, contain, and remediate security events. Where a security incident affects customer data, we will notify affected customers in line with our contractual and legal obligations.

8. Employee Security Practices

  • All employees and contractors sign confidentiality agreements before receiving any system access.
  • Security and data-handling training is required as part of onboarding.
  • Access to production systems and customer data is granted on a least-privilege, need-to-know basis.

9. Report a Security Issue

If you believe you have found a security vulnerability in the Unorma platform, please report it to security@unorma.com with enough detail to reproduce the issue. We ask that you make a good-faith effort to avoid privacy violations, data destruction, and service disruption during your research, and that you give us reasonable time to investigate and remediate before any public disclosure. We will not pursue legal action against researchers who report vulnerabilities in good faith and in accordance with this policy.

10. Compliance Documentation

Our security program is under continuous development as the company grows. Enterprise and Agency customers can request our current security questionnaire, sub-processor list, and Data Processing Agreement by emailing security@unorma.com.

11. Your Responsibilities

Security is shared. You are responsible for safeguarding your account credentials, enabling available account-security features, configuring user permissions appropriately within your organization, and promptly notifying us at security@unorma.com if you suspect unauthorized access to your account.