Your events. Encrypted, isolated, EU-hosted.
HumanHours collects event metadata only. No PII, no audit-sample contents unless you opt in, no data egress outside the EU. Below is the long-form posture we hand to procurement teams.
Your events stay in the EU.
HumanHours runs on Vercel (EU regions for serverless functions) and Supabase (Postgres in eu-west-1, Ireland). Event payloads, dashboards, reports, and the metering pipeline never leave EU jurisdiction. Outbound mail goes through Resend (EU-routed by default). Sentry is configured to drop event bodies before egress.
We do not transfer event data to subprocessors outside the EEA. Stripe is the only US-connected component in the stack and only sees billing-relevant fields (customer email, invoice line items, metered overage counts).
Encrypted in transit, encrypted at rest.
Every connection to humanhours.dev runs over TLS 1.3. Strict-Transport-Security with includeSubDomains + preload is set on every response so the browser never falls back to HTTP, and HTTPS-only cookies are flagged Secure in production.
At rest, Supabase Postgres encrypts the database volume with AES-256, and daily backups are encrypted with separate keys retained for 7 days on Pro and 30 days on Enterprise tiers.
RLS at the database, not the application.
Multi-tenancy in HumanHours is enforced by Postgres row-level security policies on every table that holds tenant data: events, agents, task_types, api_keys, webhooks. The application code uses a service-role client for server-side mutations only; user-facing queries always run through the SSR-scoped client tied to the current session.
Plan-tier and role-based gates (owner, admin, member, viewer) are checked server-side before any mutation. A crafted form post that targets another organization is rejected at the database layer even if the application layer were to slip.
argon2id hashed with a server-side pepper.
API keys (hh_live_…) are hashed with argon2id and never stored in plaintext. Verification uses a fixed-time compare against the hash plus a server-only API_KEY_PEPPER env var, so a database leak alone cannot replay events.
Keys are scoped to a single organization, can be revoked instantly from the dashboard, and surface every event they emit in /api-keys with an audit trail.
HMAC-signed outbound, signature-verified inbound.
Outbound webhooks (digest.weekly, event.tracked) carry an HMAC-SHA256 signature in the X-HumanHours-Signature header so your endpoint can verify the payload originated from us. Stripe webhooks inbound are signature-verified with the dedicated webhook secret on every request.
All webhook deliveries are dedupe-protected and retry-stable; the redelivery cron picks failures back up with exponential backoff for up to 24 hours before marking abandoned.
Every plan change is auditable.
Custom task type creation, archival, and baseline-override actions are written to a tamper-evident audit log with before/after snapshots and the actor's user_id. Workspace creation, member invites, role changes, and workspace deletion are logged at the database layer so security reviews can replay activity.
Internal admin access is gated by an email allowlist; only Triad-internal addresses can reach /admin, and that surface deliberately omits any tenant data beyond aggregate counts.
We notify you if something happens.
If we detect or are notified of a security incident affecting your data, we acknowledge within 24 hours and provide a written summary within 72 hours, including scope, root cause, timeline, and remediation steps. Workspace owners receive incident notifications at the registered owner email plus any opted-in security contacts.
Status of every dependency (Postgres, Stripe, Resend, Sentry) lives at the public /status page with 30-second probes; incidents that affect availability are also posted there in real time.
Found a security issue? Tell us.
Email security@triadagency.ai with reproduction steps. We will acknowledge within one business day and triage within five. We do not currently run a public bug bounty, but credit in the changelog and a HumanHours t-shirt are on the table for novel findings.
Please do not test against other customers' workspaces; use a fresh signup or ask for a sandbox account first.
Need a DPA or vendor security questionnaire?
Email support@triadagency.ai and we will share our DPA template plus the latest answers to the standard CAIQ-Lite, Vendr, and Whistic questionnaires.