Compliance & Security

How we approach infrastructure security, vendor assurance, and data protection across our engagements.

Infrastructure & Hosting

Our application is hosted on Vercel. Vercel's platform is SOC 2 Type 2 attested and ISO 27001:2022 certified. We use Vercel's security documentation as part of our vendor assurance process. Our own compliance posture is assessed separately.

SOC 2 Type 2

Vercel's platform is SOC 2 Type 2 attested, covering security, availability, and confidentiality trust service criteria.

ISO 27001:2022

Vercel holds ISO 27001:2022 certification for its information security management system.

Shared Responsibility Model

Compliance is a shared responsibility between infrastructure providers and the organizations that build on them. We are transparent about this distinction:

What Vercel's certifications cover

Vercel's SOC 2 and ISO 27001 certifications apply to their platform infrastructure β€” the hosting, networking, edge compute, and deployment systems. These are vendor credentials that we inherit as infrastructure-level controls, not as our own organizational certifications.

What we are responsible for

Application-level security, data handling practices, access controls, and our own compliance posture are assessed and managed independently by Narona Data. We do not claim our organization is SOC 2 or ISO 27001 certified by virtue of running on Vercel.

HIPAA & Healthcare Data

Many of our engagements involve healthcare organizations subject to HIPAA/HITECH requirements. Our approach to healthcare data compliance:

  • β€’We work with clients to establish appropriate Business Associate Agreements (BAAs) where required by the scope of engagement.
  • β€’There is no such thing as "HIPAA certification" β€” HHS does not certify products, services, or people as HIPAA compliant. Compliance is demonstrated through policies, procedures, and controls, not a badge.
  • β€’Our consulting engagements involving PHI/PII are scoped with appropriate technical and administrative safeguards tailored to each client's environment.
  • β€’We have deep experience implementing automated data governance solutions for healthcare organizations β€” including dynamic data masking, role-based access control, and audit logging β€” as detailed in our healthcare case study.

Data Protection & Privacy

For client engagements, our data protection practices include:

Access Controls

Role-based and attribute-based access control implementations tailored to each client's data classification requirements.

Audit & Monitoring

Automated audit logging and compliance reporting integrated into client data platforms.

Data Masking

Dynamic data masking solutions that restrict visibility of sensitive data based on user roles and data warehouse permissions.

Vendor Assurance

We evaluate and document the security posture of infrastructure vendors used in our delivery, including requesting and reviewing SOC 2 reports and security documentation.

Questions about our compliance posture?

We are happy to discuss our security practices, share relevant vendor documentation, or work through compliance requirements for your specific engagement.

Get in Touch