Security & Data Protection

At Norelum, we take security and data protection seriously. We apply structured information security practices to ensure that client data is handled responsibly and securely.

Our Approach

We follow internationally recognized information security principles and continuously work to improve our security practices.

Our approach is based on:

  • Risk-based security management
  • Least-privilege access control
  • Clear separation of responsibilities
  • Secure-by-design development practices

Access Control

  • Access to client environments is granted strictly on a need-to-know basis
  • Multi-factor authentication (MFA) is enforced on business-critical systems
  • Access rights are reviewed periodically
  • Access is removed upon project completion or termination of services

Infrastructure & Hosting

Where hosting or infrastructure management is part of our services, we work with reputable cloud providers.

Security measures include:

  • Encrypted communication (TLS)
  • Role-based access control
  • Environment separation (production, staging)
  • Logging where applicable

Unless explicitly agreed otherwise, clients retain control over their own hosting environments.

Data Processing & GDPR

Where we process personal data on behalf of our clients, we act as a data processor under the General Data Protection Regulation (GDPR).

In such cases:

  • A Data Processing Addendum (DPA) is signed
  • We process personal data only on documented instructions
  • We implement appropriate technical and organisational measures
  • We notify clients without undue delay in the event of a data breach

If we do not process personal data in the context of a project, no DPA applies.

Subprocessors

We may engage carefully selected subprocessors to deliver our services (e.g. cloud hosting or development infrastructure providers). For clients, an up-to-date list of subprocessors can be made available upon request. All subprocessors are contractually bound to meet applicable data protection requirements.

Incident Response

We maintain an internal incident response process to:

  • Detect and assess security incidents
  • Contain and mitigate impact
  • Notify affected clients where required
  • Implement corrective measures

Responsible Disclosure

If you believe you have discovered a security vulnerability in one of our systems or projects, please contact us at: hello@norelum.com. We appreciate responsible disclosure and will investigate promptly.

Contact

For security or data protection inquiries, please contact: hello@norelum.com.