Trust by design

Security isn’t a feature. It’s how we’re built.

Every account, card and transaction at NORVIX is engineered, monitored and answered. Below is the full picture — written for engineers, auditors and curious customers alike.

Read security whitepaperVulnerability disclosure

EU-licensed banking

Funds held with an EU-licensed partner bank, fully segregated from operating capital.

MiCA-aligned crypto

Crypto services routed via a MiCA-licensed CASP partner with institutional custody.

GDPR + privacy-by-design

Data minimisation by default. No selling, no profiling — by policy and by code.

SOC 2 Type II

In flight with a Big Four auditor. Continuous control monitoring already in place.

Security in depth

Layered, audited, always-on.

End-to-end encryption

TLS 1.3 in transit. AES-256-GCM at rest. Key separation per tenant.

Hardware-bound device keys

Sessions bound to Secure Enclave / StrongBox. Cloning a session is non-trivial by design.

Real-time fraud AI

Per-transaction scoring across 30+ signals. Calmly intervenes before damage is done.

Segregated funds custody

Customer funds are held in named segregated accounts at the partner bank — never on our balance sheet.

Cold-storage crypto custody

Anchorage-tier qualified custody. Hot-wallet exposure is bounded and continuously audited.

24/7 ops & incident response

Follow-the-sun on-call. 15-minute SEV-1 acknowledgement, public post-mortems within 14 days.

Compliance & certifications

Audited by serious people. On purpose.

EU-licensedMiCAGDPRPSD2 SCAPCI DSS L1ISO 27001SOC 2 (in flight)FATF Travel Rule

Trust by design

Move money with confidence.

Security isn’t a marketing line — it’s how every account, card and transaction at NORVIX is engineered, monitored and answered.

EU-licensed banking

Funds held with an EU-licensed partner bank, segregated from operating capital.

256-bit & device-bound

End-to-end encryption, biometric auth, hardware-bound keys on every session.

Real-time fraud AI

Pattern detection across 30+ signals — calmly intervenes before damage is done.

Privacy by design

GDPR-aligned. Data minimisation. No selling, no profiling — by policy and by code.

MiCA-aligned crypto

Crypto services routed via a MiCA-licensed CASP partner. Custody is institutional-grade.

24/7 human help

When something feels off, real specialists answer — calmly, on-record, in your timezone.

EU-licensedMiCA-alignedGDPRSOC 2 (in flight)24/7 support

Vulnerability disclosure

Found something? Tell us calmly.

We work with the research community in good faith. Reach us at security@norvix.com using our PGP key. Triage within 72 hours, initial response within 7 days.

Email security team

Scope and SLAs

  • In scope. norvix.com, mobile apps (iOS, Android), and the Business Dashboard.
  • Out of scope. Third-party partner systems, social engineering, physical attacks, denial-of-service.
  • SLAs. 72h triage, 7d initial response, 90d coordinated disclosure window.
  • Safe harbour. Acting in good faith and within scope, we will not pursue legal action.

Recognized researchers

@vexlin@kjaer.h@sa1nt@northwarden@ren.io@cipher_g

Risk warnings

Crypto, FX and capital risk — read before you transact.

Plain-language disclosures covering MiCA, FX exposure and capital protection scope.

Move Without Limits.

Join the next generation of borderless banking. Open a NORVIX account and start moving money the way the world actually works.

Join the waitlistTalk to sales

Banking Beyond Borders