Security and data
How we look after your work
We're a small UK company that takes your data seriously. Below is the plain version of where your data lives, who can see it, what we do with the AI features, and what happens if something goes wrong. If you have a more specific question, email security@narcove.com and we'll get back to you.
The basics
Where your data lives and how it's protected
EU hosting. Your data lives in Frankfurt with backups in London. We don't replicate to the US. Customer data stays in the EU/UK unless you ask us to move it.
Encrypted everywhere. TLS 1.2+ in transit. AES-256 at rest. Separate keys for backups. Database connections inside our infrastructure also encrypted. None of this is a paid feature.
Daily backups, tested restore. Snapshot every day, 30-day retention. Point-in-time recovery for the last seven days. We test the restore procedure quarterly. Backups encrypted with keys held separately from the active database.
Authentication via Supabase. Email + magic-link, Google, GitHub, and SAML SSO on Team. Passwords (where used) hashed with bcrypt and a per-user salt. No password is stored or logged in plaintext anywhere.
AI and your data
What happens when you click Sparkles
When you use Soundings or Plan-with-AI, we send the relevant card data — titles, descriptions, tags, durations of similar past cards — to Anthropic's Claude API. Claude returns a guess or a graph. We write the answer to your workspace and discard the response. Anthropic doesn't retain the data and contractually can't train on it.
We don't train models ourselves. We don't share your data with other customers. Aggregated metrics — how often features are used, how many cards are typically estimated — yes, we look at those. Card content? Never.
You can turn off AI features per workspace in settings. The non-AI parts of the product all work without them. The free tier doesn't use AI by default.
Compliance
What we do and don't have
UK GDPR — yes. We follow UK GDPR and ICO guidance. Privacy policy is at /legal/privacy. DSARs accepted at security@narcove.com.
DPA — on request. Team customers can ask for our DPA template. We can also sign yours if it's reasonable. Get in touch.
SOC 2 — not yet. We're small enough that a SOC 2 audit is more than we can justify right now. We follow the controls from the trust services criteria where they make sense, but we don't have a Type II report. If this is a hard requirement for you, talk to us — there are usually pragmatic alternatives.
ISO 27001 — also not yet. Same reason. On the same list of things we'll pursue when there's sensible scale to support it.
Penetration testing. We commission an independent pentest annually. Latest report available under NDA. Vulnerabilities are tracked and patched on a defined SLA.
If something goes wrong
How we handle incidents
We have an incident response runbook. We rehearse it. If we confirm a breach affecting your data, we tell you within 72 hours — that's the UK GDPR requirement and we treat it as a floor, not a ceiling. The notification covers what happened, what data was involved, and what we're doing to address it.
For service outages (everything still works, but slower or briefly down), status is at status.narcove.com. We post incident reports for anything over 5 minutes of downtime, including a postmortem within a week.
If you find a vulnerability in our software, please email security@narcove.com with the details. We respond within 24 hours. We don't pay bug bounties yet but we credit researchers in our security log.
FAQ
Security questions we get asked a lot
Where is my data stored?
Your data lives in EU datacentres with a backup in the UK. The primary database is in Frankfurt; backups go to London. We don't move customer data out of the EU/UK without explicit consent.
Is the connection encrypted?
Yes. Every page on app.narcove.com and narcove.com is served over TLS 1.2 or higher. Data in the database is encrypted at rest using AES-256. Backups are encrypted with separate keys.
Do you train AI models on my data?
No. Your cards stay in your workspace. When you use Soundings or Plan-with-AI we send the relevant card data to Claude for one inference, then drop it. We don't train, fine-tune, or retain anything beyond what you can see in your own logs. Anthropic's API contract prevents them from training on the data we send them.
Who can see my data inside Narcove?
You and the people you invite to your workspace. We have a small ops team that can access production for incident response — that access is logged and reviewed quarterly. We don't look at customer data for product development. Aggregated metrics (how many cards, how many projects) yes; the contents of your cards, no.
Can I delete my data?
Yes. Delete a card and it's removed from the app immediately and from backups within 30 days. Delete your workspace and the same applies. Data export is available before deletion: CSV per project, JSON for the whole workspace.
Are you UK GDPR compliant?
Yes. We follow UK GDPR and ICO guidance. We have a published privacy policy at /legal/privacy and accept Data Subject Access Requests via security@narcove.com. We respond within 30 days, usually faster.
Do you sign DPAs?
Yes — Team customers can request a Data Processing Agreement. Get in touch and we'll send our standard template. We can sign yours if it's reasonable.
What happens if there's a breach?
We notify affected customers within 72 hours of confirming a breach, per UK GDPR. The notification includes the nature of the breach, the data involved, and the steps we're taking. We also notify the ICO. We have an incident response runbook and rehearse it.
How are passwords stored?
We don't handle passwords directly — authentication goes through Supabase Auth, which uses bcrypt with per-user salts. We support email + magic-link, OAuth (Google, GitHub), and SSO via SAML on Team.
Do you have SOC 2?
Not yet. We're a small team and SOC 2 is expensive. We follow the controls from the SOC 2 trust services criteria where they're sensible, but we don't have an audit. If SOC 2 is a hard requirement for you, get in touch and we can talk about timeline.
What about backups?
Daily snapshots, retained 30 days. Point-in-time recovery for the last 7 days. Backups encrypted with separate keys. We test restore quarterly.
How do you handle subprocessors?
Stripe (billing — UK/US, GDPR-compliant), Anthropic (AI inference — US, no retention), Supabase (database hosting — EU), Cloudflare (CDN — global, no data passing through). Full subprocessor list available on request.
Got a question we haven't answered? Email security@narcove.com.