Security

Effective: March 26, 2026·Version 1.1

At Inori, security is foundational to everything we build. This page describes the measures we take to protect your data and maintain the integrity of our platform.

Encryption

In transit. All data transmitted between your browser and Inori's servers is encrypted using TLS 1.3. We enforce HTTPS on all endpoints.

At rest. All data stored in our database and file storage is encrypted using AES-256 encryption provided by our cloud infrastructure providers.

Access Controls

Role-based access. Your organization's data is isolated using row-level security. Each user has a role (admin, manager, auditor, or viewer) with granular permissions controlling what actions they can perform.

API key authentication. For programmatic access, Inori supports API keys with SHA-256 hashed storage. Raw keys are never stored. Keys can be scoped and revoked at any time.

Audit logging. All mutations to your data are logged with timestamps, user identity, and change details. Audit logs are retained for the life of your account.

Infrastructure

Hosting. Inori is hosted on Google Cloud Platform (Firebase Hosting for the application layer, Cloud Run for server-side rendering). Infrastructure operates within the United States.

Network security. Database access is restricted to application servers only. No direct public access is permitted.

AI processing. Certificate analysis is performed using Anthropic's Claude API. Documents are sent via encrypted API calls and are not retained by the AI provider after processing. See Anthropic's data usage policy for details.

Compliance

GDPR. We process data in compliance with the General Data Protection Regulation. See our Data Processing Agreement for details.

CCPA. We comply with the California Consumer Privacy Act. See our Privacy Policy for details.

Vulnerability Management

Automated scanning. We run automated vulnerability scans against our codebase and dependencies on every deployment. Critical vulnerabilities are patched promptly.

Dependency monitoring. We monitor all third-party dependencies for known vulnerabilities and apply security patches as they become available.

Incident Response

In the event of a security incident, we commit to:

Notification — Affected customers notified within 72 hours of a confirmed data breach.
Transparency — Written post-mortem with root cause analysis shared with affected parties.

Responsible Disclosure

If you discover a security issue, please report it to ask@askinori.com. We commit to:

Acknowledging your report within 5 business days.
Providing a timeline for remediation.
Not pursuing legal action against researchers who act in good faith.

Contact

For security questions or to report a vulnerability, contact ask@askinori.com.