Security
Last updated: May 12, 2026
Noura is built for sensitive employment-support work. This page states what is already true, what is still in progress, and how to report a concern.
Current security posture
Noura is suitable for controlled pilot review and internal testing. It is not yet certified for SOC 2, HIPAA, FedRAMP, or a formal enterprise security review. We will not claim those standards until they are actually complete.
Controls in place
- LiveDatabase tenant isolation. Supabase Postgres Row Level Security separates organizations and applies role-based access for founders, executive directors, caseworkers, and observers.
- LiveLeast-privilege browser grants. Browser roles do not get direct access to service-only tables or secret columns. Sensitive server work runs through Edge Functions.
- LiveServer-side LLM proxy. API keys stay out of the browser. Per-organization keys are encrypted at rest, and usage is logged for review.
- LiveAuthenticated protected pages. Dashboard, workspace, org dashboard, founder admin, add client, and org setup require sign-in.
- LiveAudit trail foundation. Meaningful account, invite, data, and workflow actions can be written to an append-only audit log.
- LivePII restraint by design. Noura does not need social security numbers, immigration document numbers, bank details, or street addresses for its normal workflow.
Controls in progress
- NextError monitoring. Sentry is not installed yet. Until it is, production browser errors may be invisible unless a user reports them.
- NextProduct analytics. PostHog is not installed yet. When added, it should avoid autocapture of form inputs and client text.
- NextBackup and disaster recovery. Noura now has a written pilot runbook. The remaining decision is whether to upgrade Supabase for point-in-time recovery and run a successful restore drill.
- NextFormal access reviews. Founder and staff roles should be reviewed on a schedule before a real multi-org pilot.
- NextSecurity headers and CSP. The static site should add a stricter Content Security Policy after external scripts and fonts are finalized.
Known limits
- Noura is in pilot readiness work, not certified enterprise production.
- Noura does not provide legal, immigration, medical, tax, or benefits advice.
- AI outputs are drafts. Human review is required before a plan, report, resume, cover letter, job match, or retention recommendation is used.
- Live job-feed integrations are not connected yet. Current job-search workflow scores real postings that staff bring into the workspace.
Report a security issue
Email security@withnoura.com with the page, steps to reproduce, expected behavior, actual behavior, and any screenshot that does not reveal client information. If the issue involves client data exposure, write "urgent security" in the subject.
Responsible testing
Please do not access, modify, delete, export, or share data that is not yours. Do not run denial-of-service tests, social engineering, spam, or destructive scans. If you find something, report it and we will work with you.