Trust & security
Security and evidence integrity, by design
Our buyers are standards bodies, boards and auditors — people who weigh evidence and data handling for a living. So security isn't a footnote here; it's the product. This page sets out what we do today and what we're building toward.
Evidence integrity
Every takedown we file is backed by a record built to stand up to a host, a registrar, and a court. When we confirm an unauthorized copy, we preserve it before it can disappear:
- Immutable snapshots. We capture the infringing page as it existed, so the evidence survives even after the live copy is removed.
- Cryptographic proof. Each captured artifact is fingerprinted with a SHA-256 hash, so any later alteration is detectable.
- Source and timing. Every case carries the source URL, the HTTP response, and a timestamp — a chain of custody from detection to removal.
- Matched passage. Each notice carries the specific passage that ties the copy to your standard, not just a filename match.
Data minimization
The most secure data is the data we never hold. NormScan is built to need very little from you: the catalogue of standards you want protected, and a contact to report to. We do not need, ask for, or store your members' data, your customer lists, or your internal business systems. A smaller footprint is a smaller risk — to you and to us.
Hosting, encryption and residency
- In transit. All traffic to and from our systems is encrypted using current TLS.
- At rest. Stored data and evidence artifacts are encrypted at rest.
- Residency. We host within the European Union and keep client data in-region, with processing arrangements set out in our Data Processing Agreement.
Access control and operations
- Least-privilege, role-based access — staff see only what their work requires.
- Multi-factor authentication on systems that hold client or evidence data.
- Access and enforcement actions are logged and auditable.
- Regular, encrypted backups of case records and evidence.
- A defined incident-response process, with prompt notification to affected clients.
Confidential methods
Our detection is purpose-built to read your standards themselves, not just match filenames. The exact methods stay under the hood — that confidentiality is part of why the discovery works, and it protects you as much as it protects us. What you receive is the result: a documented, provable case for every copy we surface.
Vendors and subprocessors
We rely on a small, vetted set of service providers (for example, cloud hosting and communications). Each is bound by data-protection terms consistent with this page and our Data Processing Agreement, under which a current list of subprocessors is available to clients on request.
Compliance and roadmap
We operate in line with the GDPR today, and a Data Processing Agreement is available to every client. We are deliberately transparent about where we are on formal certification:
- Available now. GDPR-aligned processing and a signable Data Processing Agreement.
- In progress. We are working toward ISO/IEC 27001 and SOC 2. We will publish these here when they are achieved, with the certificate or report available under NDA — not before.
We would rather tell you exactly where we stand than display a badge we haven't earned.
Responsible disclosure
If you believe you've found a security issue in our systems, please tell us before disclosing it publicly. Email j.mota@normscan.com with the details and how to reproduce it. We'll acknowledge your report and keep you updated as we investigate.
Questions
For a security review, a data-protection questionnaire, or our DPA, write to j.mota@normscan.com and we'll respond directly.