How we keep your data safe.

• •Sign-in is via passwordless email magic-links. No reusable passwords sitting in browsers.
• •Sessions are HMAC-signed cookies, scoped per tenant, with httpOnly + secure flags.
• •Roles control every gate (Owner / Dispatcher / Tech / Accountant). Each tool, page, and API path checks the role server-side.
• •Sign-in events log to an audit trail visible to the owner.

Every query is tenant-scoped. The Postgres `tenantId` column is part of every table's index, and every read/write goes through a helper that injects the current tenant — there's no global "select * from customers".

We use updateMany with a combined id + tenantId where clause for writes, so a leaked id from one tenant can't update another's data.

• •TLS 1.3 for everything in flight. HSTS preload on the marketing site.
• •Database encrypted at rest. Backups encrypted with separate keys.
• •No customer data on developer laptops. Local development uses synthetic seed data only.
• •Photos and files stored on Vercel Blob with signed URLs — no public buckets.

We minimize what leaves Hausstack. The current footprint:

• •Anthropic — model inference for agents. Zero-retention contract; prompts and responses are not kept or used to train.
• •Stripe — payment processing. They handle card data; we never see card numbers.
• •Twilio — SMS delivery. They see the message body and recipient phone number, nothing else.
• •Vercel + Neon — compute and database hosting in US regions.

• •Production access is limited to two engineers and is logged.
• •All deploys go through Vercel preview-then-promote. No direct prod edits.
• •Database migrations are reviewed and run in transactions where safe.
• •We pen-test annually starting at 10 paying customers and on every major release after that.
• •Incident response: status.haussolutions.com is our public source of truth — we post within 30 minutes of any user-impacting issue.

We're SOC 2 Type 1 in scope as of this writing. Type 2 audit window opens once we hit 50 paying customers. We're not HIPAA-covered today — if you handle PHI, talk to us first.

We can sign a DPA. Email security@haussolutions.com for a copy or a SIG-Lite questionnaire response.

Found something? Email security@haussolutions.com with details. We respond within 24 hours, fix verified issues within 7 days for high-severity, and credit reporters who'd like to be named.