Security
Security at Claros
Security is architectural, not cosmetic. This page describes how Claros handles data, access, encryption, and compliance. For detailed questions or a security review, contact security@nordlabs.ai.
Data residency
Nordlabs AS is a Norwegian company registered in Oslo (Brønnøysundregistrene).
Claros SaaS applications are hosted on Hetzner Cloud infrastructure in EU data centers (Germany and Finland). No customer data is transferred to or stored in the United States as part of core platform operation.
When AI features are enabled, data may be processed by AI providers (Anthropic, OpenAI) for inference only. Customer data is not used for model training. See the sub-processor list for current providers and their data handling details.
Cortex is a local-first application. All data is stored in SQLite on the user's machine. No data leaves the device except through user-approved write actions to connected integrations.
Encryption
In transit
All connections use TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enforced on all endpoints.
At rest
Database encryption for stored data. OAuth tokens and API keys are encrypted with Fernet, with encryption keys stored in the operating system keychain (Cortex) or managed key storage (SaaS).
Backups
Encrypted at rest. Stored in EU data centers. Retention period configurable per plan.
Access control
Claros uses a 7-role hierarchy managed through Nexus (the platform administration module): viewer, member, operator, author, compliance officer, manager, and admin. Each role has defined permissions across all platform applications.
AI data handling
AI features in Claros are opt-in. Organisations control whether AI processing is enabled per application.
When AI is enabled:
- Customer data is sent to the configured AI provider for inference only
- No customer data is used for model training by any provider
- Prompts include content sanitization to prevent injection
- AI provider, model, and endpoint are configurable by the organisation admin through Nexus
Supported providers: Anthropic Claude (default), OpenAI, Ollama (self-hosted). Organisations can connect any OpenAI-compatible endpoint.
Cortex: AI processing uses the user's configured provider. Data is sent directly from the user's machine to the AI provider. No data passes through Nordlabs servers.
Infrastructure
Hosting
Hetzner Cloud — Falkenstein, Nuremberg, Helsinki
Networking
Cloudflare for DNS, DDoS protection, and tunnel access
Monitoring
Application and infrastructure monitoring with alerting
Backups
Daily automated backups, encrypted, stored in EU
Incident response
Customer notification within 72 hours for data breaches (GDPR / DPA)
Compliance
GDPR
Claros is designed for GDPR compliance. Data minimization, purpose limitation, and data subject rights are built into the platform architecture. Privacy management tools (DSR workflows, consent tracking, ROPA) are available in Protocol.
DPA
A Data Processing Agreement is available for all customers. Contact us or download the template below.
SOC 2 / ISO 27001
Claros provides tooling for these frameworks (Protocol manages controls, evidence, and maturity tracking). Nordlabs' own certifications are in progress — contact us for current status.
Cortex
Cortex stores all data locally. Nordlabs does not have access to Cortex user data. The only external transfer is to the user's configured AI provider and to connected integrations when the user approves a write action.
Documents
Security Overview
PDF — available on request
Data Processing Agreement (DPA)
Standard template
Sub-processor list
Current third-party processors
Security contact
For security questions, vendor evaluation requests, or to report a vulnerability:
security@nordlabs.ai →Ready to see the product?
Book a Demo