← handoverhq.com
Trust & Security
HHQ’s security posture, sub-processor list, and compliance roadmap. Last updated 28 May 2026.
For security questionnaires (SIG, CAIQ, custom): security@handoverhq.ai
Sub-processors
Third-party providers that may process customer data on HHQ’s behalf. Listed in order of data sensitivity.
| Provider | Purpose | Data processed | Hosting region | DPA |
|---|---|---|---|---|
| Supabase | Managed Postgres database + auth | All customer data (handovers, users, interview answers, files) | AWS ap-southeast-2 (Sydney) | View |
| OpenAI | GPT-4o for AI interview evaluation + brief generation | Interview question text + transcribed answers | US (no training on customer data — API contract) | View |
| ElevenLabs | Text-to-speech for voice AI interview | Question text only — no answers transmitted | US | View |
| Resend | Transactional + lifecycle email delivery | Recipient email, handover metadata, system notifications | US (default region) | View |
| Sentry | Error monitoring + observability | Exception stack traces, request paths, user IDs (no PII payloads) | US / EU split | View |
| Vercel | Frontend hosting + edge network | HTTP request metadata only — no application data | Global edge with Sydney POP | View |
| Railway | Backend API hosting | API request metadata only — no application data | US (us-west) | View |
HHQ commits to a 30-day notice period before adding any new sub-processor. Email security@handoverhq.ai to subscribe to sub-processor change notifications.
Security controls
Current implementation as of 28 May 2026.
Authentication
- Supabase Auth (JWT-based session management)
- OAuth providers: Google, Microsoft (Azure)
- Magic-link invite flow for new team members
- Custom SMTP via Resend (auth emails delivered via verified sender)
Data isolation
- Multi-tenant Postgres with Row-Level Security (RLS) policies — 114 c7_* policies live in production
- EF Core global query filters enforce tenant boundary at ORM layer (defence in depth)
- Database connection role (hhq_api) has BYPASSRLS = false — RLS is real enforcement, not advisory
- Cross-tenant access verification: smoke-tested 26 May 2026 returned zero rows
Encryption
- At rest: AES-256 via Supabase (managed by AWS RDS)
- In transit: TLS 1.2+ for all client-server communication
- Secrets management: Railway + Vercel encrypted env vars; never committed to source
Audit logging
- ~27 sensitive operations write to public.audit_log
- Recorded fields: actor (contact + auth UUID), action, entity, IP, user agent, jsonb detail
- Retention: indefinite (policy to be set during framework readiness)
- Admin-visible at /settings/admin → Audit log tab
Rate limiting & abuse protection
- Per-IP rate limit policies: Strict, Burst, PublicAI, PublicUpload, PublicGeneral
- Per-IP daily char budget on text-to-speech
- Per-org daily char budget on text-to-speech (and per-token budget on /public/interview/*)
- HMAC + replay protection on inbound webhooks (BambooHR, Employment Hero)
Application security
- Security headers: HSTS, X-Frame-Options, CSP, X-Content-Type-Options
- Input sanitisation on user-uploaded files (filename + URL validation)
- Webhook signature verification (constant-time compare)
- No PII in error responses (Sentry redacts auth headers + tokens)
Compliance roadmap
Active programmes and target attestations.
| Framework | Status | Detail |
|---|---|---|
| SOC 2 Type I self-test | In progress (2026 H2) | Internal readiness assessment using SOC 2 trust services criteria |
| SOC 2 Type II | Target 2027 H1 | Continuous audit period following Type I |
| ISO 27001 | Evaluating | May follow SOC 2 if EU enterprise demand justifies |
| GDPR alignment | In progress | Data map + lawful-basis register + DSAR workflow under construction |
| Australian Privacy Act (APP) | In progress | Notifiable Data Breach plan + sub-processor register under construction |
Contact
For security-related questions, vulnerability disclosures, or to request a DPA / security questionnaire response:
Responsible disclosure: please give us 90 days from initial report before public disclosure.