Skip to content
Security

Where your code goes

Local first, your own key, secrets excluded, and nothing sent to servers we do not run.

Norma's job is to read your code, so the first fair question is where that code goes. The short answer: it stays on your machine, and only the slices needed for judging are sent to the model provider you choose, using your own key. This page explains exactly how that works.

The product runs locally

The Norma command line tool and the MCP server run on your own machine. They read your specification and your code locally. There is no Norma cloud that ingests your repository, because for the tool there are no Norma servers in the loop at all.

Only what is needed, to your own provider

To judge a requirement, Norma sends only the relevant slices of code to the model provider you configure, such as Anthropic or OpenAI, authenticated with your own API key. You bring the key, you control the provider, and that provider's handling of what you send is governed by its own terms, not ours.

Secrets are excluded by default

Files matching the secret patterns in the default exclude list, such as .env files, private keys, and certificates, are never indexed and never sent to the model, regardless of your include settings. The same exclude list is shared by the CLI and the MCP server, since both run through the same engine.

The GitHub Action runs in your CI

The Action executes inside your own CI runner. Your key lives as a repository secret you control, and the same local-first behavior applies: only the needed slices reach the provider, and the result is posted back to your pull request.

Reproducible and contestable

Every report stamps the model and prompt version used, and conforms to an open schema. A score is not a black box: it can be reproduced or challenged, which is the point of treating Spec Fidelity as a shared standard rather than one vendor's opaque metric.

The website and the beta are separate

This page is about the product. The website and the beta program collect a small amount of information when you ask for access, which is described in our Privacy Policy.

An honest note. This describes how Norma works today, not a formal security certification. If your team needs specific assurances or has a question about handling, write to our team and we will answer plainly.
Privacy Policy Docs Contact
Did the build keep its promises?

AI can write the code.
Who verifies the intent?

Run your first Norma check $ norma check