Legal

Security

How we protect your data and keep Noarka secure.

Security Practices

Encryption at Rest

All data stored in our databases is encrypted at rest using AES-256. This includes user profiles, session data, audit logs, and all other sensitive information.

Encryption in Transit

Every connection to Noarka is encrypted with TLS 1.3. We enforce HTTPS across all endpoints and use HSTS headers to prevent downgrade attacks.

Secure Authentication

Passwords are hashed with bcrypt and never stored in plain text. We support multi-factor authentication (TOTP) and use secure, HttpOnly cookies with the __Secure- prefix.

Rate Limiting & Brute Force Protection

Auth endpoints are rate-limited per IP. After repeated failed login attempts, accounts are temporarily locked to prevent brute force attacks.

Session Management

Sessions expire after 7 days. Suspicious activity triggers automatic session revocation. Admins can view and revoke any session from the dashboard.

Infrastructure

Hosted on Vercel (edge network) with Neon (PostgreSQL). All providers are SOC 2 compliant. We run on isolated environments with automated deployments.

Authentication & Access

Noarka uses a custom OAuth 2.0-based SSO system. When you sign in, your credentials are verified and a short-lived authorization code is generated. This code is exchanged for a signed JWT (HMAC-SHA256) that contains your user ID, email, and role.

JWTs are stored as HttpOnly cookies and expire after 7 days. The __Secure- prefix is used on HTTPS connections to prevent cookie theft via man-in-the-middle attacks.

Multi-factor authentication (MFA) is available for all accounts. We support TOTP-based authenticator apps. When enabled, a second verification step is required during sign-in.

Data Protection

Database: PostgreSQL on Neon with encryption at rest. Connection pooling via Prisma. Automated backups.

File Uploads: Stored in the application directory with access controls. Uploads are validated by file type and size (max 10MB).

Payment Data: Card details are tokenised by Stripe. We never store raw card numbers, CVVs, or full expiration dates. Only the last four digits and card brand are retained.

Passwords: Hashed with bcrypt (12 rounds). We cannot see or recover your password. Password reset links expire after 1 hour and are single-use.

Monitoring & Logging

We maintain comprehensive audit logs for all security-sensitive actions including:

  • Login and logout events (with IP and user agent)
  • Password changes and 2FA setup/disable
  • Profile and settings changes
  • Product access grants and revocations
  • Admin actions (user management, product changes)

Suspicious login attempts are tracked by IP and email. Known devices are remembered, and new device logins trigger additional verification.

Incident Response

In the event of a security incident, we follow these steps:

  • Identify and contain the issue
  • Assess the scope and impact
  • Notify affected users promptly
  • Remediate the root cause
  • Document and review to prevent recurrence

If you discover a security vulnerability, please report it to security@noarka.com. We take all reports seriously and will respond within 48 hours.

Compliance

Noarka is designed with privacy and security in mind. We comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988. Our infrastructure providers (Vercel, Neon, Stripe) are SOC 2 Type II compliant.

We do not sell personal data. We do not use your data to train AI models. You can request deletion of your account and all associated data at any time.

Ready to Get Started?

Create a Noarka account for free and explore a suite of business, developer, and educational tools.

Get Started