Legal
Security
Effective: pre-launch placeholder · v0.1
⚠ Placeholder
This is a pre-launch skeleton, not a binding legal document. Real terms drafted by counsel ship with public launch. The structure below mirrors what the final version will look like, so the footer-link works and the platform is honest about its state.
How Narriv handles your data, your investors' data, and the deck content sitting between them. The skeleton below mirrors the structure the final document will take.
Hosting + encryption
Vercel for compute (EU + US edge), MongoDB Atlas for data (UK region for UK tenants when launched). Encryption in transit via TLS 1.2+. Encryption at rest via Atlas' standard AES-256.
Authentication
Founder + investor sign-in via Google OAuth or email magic link. Per-tenant role-based access (Owner / Admin / Editor / Viewer). Per-deck access scoping where configured. JWT cookies, HttpOnly + SameSite=Lax.
Tenant isolation
Per-tenant DB scoping enforced at the data-handle layer (`getTenantDb()` proxy) — cross-tenant reads are impossible by construction, not by query convention.
Compliance roadmap
SOC 2 Type II prep planned for Tier 3 (~Year 2). Cyber insurance from launch. Data breach process with 72-hour ICO notification per UK GDPR.
Reporting a vulnerability
Email security@narriv.co. We respond within 48 hours and won't take legal action against good-faith disclosure following responsible-disclosure norms.