Security & Trust

Built for trust, designed for compliance

NordenVault is designed from the ground up to protect your data. From physical data centre location to credential scoping, every decision prioritises security and your right to control your own data.

Data residency in Europe

All customer backup data is stored exclusively in data centres located in the European Union.

European jurisdiction
Your data is stored within the EU and is subject to GDPR. You benefit from robust European data protection law.
Physical security
Our data centre partners maintain on-site security, access controls, redundant power systems, and environmental monitoring.
No data leaves Europe
Backup data is never transferred outside of the EU unless you explicitly initiate a download or restore to a location of your choosing.

🇪🇺

European Union

All data stored here

EEA / GDPR compliant

Architecture overview

NordenVault separates the control plane from the storage plane. Your backup data and your account management traffic travel different paths with different security profiles.

Control Plane

The control plane handles account management, billing, credential issuance, monitoring, and the web dashboard.

Secure authentication via WorkOS AuthKit
Session management with automatic expiry
Plan-based usage limits and quota enforcement

Storage Plane

The storage plane handles the actual backup data. Your clients connect directly to S3-compatible endpoints using scoped credentials. Data is written to object storage in the EU.

Direct S3 protocol connection
Per-source scoped credentials
Encryption at rest (AES-256)

Encryption at every layer

Your data is protected at rest and in transit. For maximum security, we fully support client-side encryption.

In Transit

All connections use TLS encryption. S3 endpoints enforce HTTPS and reject unencrypted connections.

At Rest

All objects stored on our platform are encrypted at rest using AES-256 by our storage infrastructure provider.

Client-Side (Zero Knowledge)

Tools like restic encrypt data before it leaves your machine. When using client-side encryption, NordenVault never sees your plaintext data or your encryption keys.

Access control & credential scoping

Every backup source gets its own set of credentials with least-privilege access. This limits the blast radius of a compromised key and makes it easy to revoke access to individual sources without affecting the rest of your account.

Per-source credentials
Each backup source receives its own access key and secret key, scoped to a single bucket. One key cannot access another source's data.
Credential rotation
Rotate credentials at any time from the dashboard. New keys are issued immediately and old keys are revoked.
Instant revocation
If a key is compromised, revoke it immediately from the dashboard.

# Each source gets scoped credentials

source: web-server-01

access_key: OC_SRC_a1b2c3...

bucket: org-backups

prefix: /web-server-01/

permissions: [PUT, GET, LIST, DELETE]

scope: prefix-only

# This key cannot access any other source's data

Compliance & regulatory

NordenVault is built to support your compliance requirements, not create new ones.

GDPR

Data stored in the EU (EEA). We act as a data processor under GDPR. We support data subject access requests and the right to erasure. Contact us for a Data Processing Agreement.

Data Sovereignty

For organisations that must keep data within a specific jurisdiction, NordenVault provides guaranteed EU data residency. No data replication to other regions occurs without your explicit configuration.

Questions about security?

If you have specific security questions or want to discuss your organisation's compliance requirements, our team is here to help.