Agent Norden

nordenagent

Sign inStart free

Security

How we handle your data.

nordenagent connects to your Meta Ads, Stripe, Shopify and analytics accounts. That trust is the whole product. Here's how we earn it — concretely.

Credentials & secrets

Every third-party credential you connect — Meta access tokens, Stripe keys, OpenRouter / Anthropic / OpenAI keys, Shopify and WooCommerce keys — is encrypted at rest in Supabase Vault. They are never written to plaintext database columns or environment files in your workspace.

  • Vault-encrypted at rest, decrypted only at the moment of use
  • Reads are rate-limited and logged to a tamper-evident secret_access_log table
  • On a 401/403 from any third-party API, the credential is auto-flagged broken and you get an in-product re-auth prompt
  • Account deletion wipes Vault entries alongside your row data

Workspace isolation

nordenagent is multi-tenant. Every customer-facing table is scoped by a workspace_id column with PostgreSQL row-level security (RLS) policies that explicitly check membership. Cross-workspace reads and writes are rejected at the database, not just in app code.

  • RLS policies on every workspace-scoped table — defence-in-depth even if app code has a bug
  • Service-role database access is restricted to webhook handlers and out-of-band scripts; user-facing routes only use the user-scoped client
  • End-to-end smoke tests verify cross-workspace inserts and reads are rejected
  • Storage buckets enforce path-prefix isolation (the workspace UUID is the first segment of every object key)

Authentication

Authentication runs on Supabase Auth with email + password and OAuth providers. We support optional TOTP two-factor authentication and gate sensitive operations behind elevated AAL.

  • Opt-in TOTP MFA using any standard authenticator app (1Password, Authy, Google Authenticator)
  • Password change requires re-authenticating with the current password — a stolen cookie alone can't take over the account
  • Email change sends verification to both the old and new addresses
  • Sessions stored as httpOnly secure cookies, scoped to the apex domain

Network & transport

Every request to nordenagent.com is served over TLS 1.2+. We submit nordenagent.com to the HSTS preload list and ship a strict Content-Security-Policy on every page.

  • HSTS with includeSubDomains and preload directives
  • X-Frame-Options: DENY (no clickjacking surface)
  • Content-Security-Policy locking script, style and connect sources to known origins
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy: camera, microphone, geolocation, FLoC all disabled

Webhook & integration safety

Every inbound webhook is signature-verified before any state change. Our outbound media-fetch path is hardened against SSRF — it refuses private and link-local addresses and follows redirects through the same allow-list.

  • Stripe webhooks are signature-verified with the raw request body and idempotency-protected via a stripe_events dedupe table
  • Slack interactivity payloads are signing-secret verified
  • Internal cron endpoints sit behind a webhook secret header and a secondary auth check
  • Outbound URL fetches use an SSRF allow-list — private IPs, link-local, and metadata addresses are blocked

Observability without leaking secrets

Errors and traces are sent to Sentry with a beforeSend hook that scrubs anything that looks like a secret before it leaves the box. Authorization, Cookie, Set-Cookie and supabase headers are redacted at the SDK level.

  • Regex scrubbing for sk_*, re_*, EAAG*, JWT-shaped tokens, Bearer auth headers, and password=… query strings
  • Request bodies and query strings rebuilt without secret-shaped values before capture
  • All app log.warn/log.error calls bridge to Sentry breadcrumbs/exceptions with the same scrubbing applied

Data location & backups

Customer data lives in PostgreSQL on Supabase. Daily database backups are taken from the host and stored encrypted at rest. We do not export customer data to third parties for analytics or training.

  • Daily automated dumps with encryption at rest
  • Sub-processor list maintained at /legal/subprocessors — every processor we use is named there
  • GDPR data-export and deletion endpoints exposed in /settings/account (JSON bundle export, full account wipe)
  • We never train AI models on your data or share it with model vendors beyond the inference call you initiated

Host & ops

Production runs on a hardened Linux host behind nginx. We layer fail2ban, unattended security upgrades, and a daily drift-monitor that alerts us to missing reports or stuck workflows.

  • Unattended security upgrades enabled with auto-reboot in a low-traffic window
  • fail2ban on SSH and the Next.js process running under a non-privileged user
  • Daily drift-monitor cron that reports on missing daily reports, broken integrations, and stuck queues
  • Status of every customer-visible workflow exposed at /status

Reporting a vulnerability

If you believe you've found a security issue, email security@nordenagent.com with reproduction steps. We aim to acknowledge within one business day and patch validated reports within seven. Please don't disclose publicly until we've had a chance to ship a fix.

Out of scope: rate-limit complaints on public endpoints, denial-of-service findings, social engineering, missing security headers on assets served from third parties, and findings that require physical access to a customer's device.

Privacy PolicyData Processing AddendumSub-processorsStatus