Security

Last Updated: March 19, 2026

Security is foundational to everything we build. Nobris handles sensitive compliance data, and we treat that responsibility seriously. This page describes how we protect your data and our approach to security.

1. Security Architecture

1.1 Encryption

  • In transit: All data transmitted between your browser and Nobris is encrypted via HTTPS/TLS 1.2+ with modern cipher suites
  • At rest: Stored data is encrypted using AES-256 encryption on all database volumes and backups
  • Passwords: User passwords are hashed using bcrypt with per-user salts. We never store plaintext passwords and cannot recover them

1.2 Infrastructure

  • Hosted on enterprise-grade cloud infrastructure with SOC 2-compliant providers
  • Network-level isolation between services
  • Automated security patching and system updates
  • DDoS protection and rate limiting at the edge
  • Regular infrastructure vulnerability scanning

1.3 Application Security

  • OWASP Top 10 protections built into the development lifecycle
  • Input validation and output encoding to prevent injection attacks
  • CSRF protection on all state-changing operations
  • Content Security Policy (CSP) headers to prevent XSS
  • Strict CORS configuration

2. Data Protection

2.1 Minimal Data Collection

Our primary security control is collecting less data. Screening queries are processed in-memory and never persisted to disk or database. This means there is no query history to breach, subpoena, or leak.

2.2 Access Controls

  • Role-based access control (RBAC) for all internal systems
  • Principle of least privilege for all service accounts and team members
  • Multi-factor authentication required for all internal administrative access
  • Audit logging on all administrative actions

2.3 Data Isolation

Customer data is logically isolated. No customer can access another customer’s data, reports, or screening results. Enterprise customers with on-premise deployments maintain full physical data isolation.

3. Incident Response

3.1 Detection & Response

We maintain an incident response plan that includes:

  • Automated monitoring and alerting for anomalous activity
  • Defined severity levels and escalation procedures
  • Designated incident response team with clear roles
  • Post-incident review and remediation process

3.2 Breach Notification

In the event of a confirmed security breach involving personal data:

  • Affected users will be notified within 72 hours of confirmation
  • Regulatory authorities will be notified as required by applicable law (GDPR, state breach notification laws)
  • Notification will include: what happened, what data was involved, what we’re doing about it, and what you can do

4. Vulnerability Disclosure

We welcome responsible security research. If you discover a vulnerability in Nobris:

4.1 How to Report

  • Email: security@nobris.dev
  • Include a description of the vulnerability, steps to reproduce, and any proof-of-concept
  • Use reasonable efforts to avoid data destruction, service disruption, or accessing others’ data

4.2 Our Commitments

  • We will acknowledge your report within 2 business days
  • We will provide an initial assessment within 5 business days
  • We will not take legal action against researchers acting in good faith
  • We will credit researchers (with permission) when vulnerabilities are resolved

4.3 Scope

In scope: nobris.dev, app.nobris.dev, API endpoints, and associated infrastructure. Out of scope: third-party services, social engineering of staff, physical security, and denial-of-service testing.

5. Compliance & Audits

  • Data handling: Compliant with GDPR and CCPA requirements for data subject rights, retention, and consent
  • Government data: All indexed screening lists are public domain U.S. government data, handled in compliance with applicable redistribution terms
  • Regular audits: We conduct periodic internal security assessments and engage third-party auditors for independent review
  • Employee training: All team members complete security awareness training

6. Business Continuity

  • Automated daily backups with geographic redundancy
  • Disaster recovery procedures with defined recovery time objectives
  • Regular backup restoration testing
  • Service status monitoring with public status page

7. Contact

For security concerns, vulnerability reports, or questions about our security practices:

If you suspect unauthorized access to your account, contact security@nobris.dev immediately.