Hired Hands legal

Security

Effective July 3, 2026

Your agents answer with your business's knowledge and talk to your customers — so the platform is built with isolation and auditability as defaults, not add-ons. Here's exactly what protects your data.

Tenant isolation

  • Every tenant table is protected by Postgres row-level security keyed to organization membership — one policy layer enforced by the database itself, not just application code.
  • Agent knowledge, transcripts, outputs, and usage records are scoped to your organization and unreadable by any other tenant.

Secrets handling

  • Connection credentials (Slack/Discord webhooks, GitHub/Notion tokens…) live in a table with no client-readable access path — only our server-side service role can read them, and our APIs never return a stored secret.
  • Connections are verified with a live API call before saving, and re-checked on every delivery.
  • Platform secrets are environment-scoped and never shipped to the browser.

Abuse & egress protection

  • Customer-supplied URLs (site scans, custom webhooks) pass an egress guard that blocks private networks, loopback, link-local, and cloud-metadata addresses — checked when saved and on every send.
  • Public widget endpoints use unguessable per-agent keys, are disabled by default, and are rate-limited per agent.
  • Org-level burst limits and monthly budgets cap every model call path.

Billing integrity

  • Stripe webhooks are signature-verified and idempotent — replayed events can’t double-apply.
  • Card data never touches our servers.

Auditability

  • Widget conversations are stored as transcripts your team can review.
  • Every escalation, draft, and captured lead lands in a review queue with status history.
  • Every model call is metered with tokens, model, and timestamp.

Infrastructure

  • Hosted on Vercel (application) and Supabase on AWS us-east-1 (database, auth, vector search).
  • TLS for all traffic in transit; encryption at rest for stored data; point-in-time database recovery.
  • Model calls go to OpenAI’s API, which does not train on API data.
  • Health monitoring endpoints and structured failure handling — a failing dependency degrades gracefully rather than exposing errors to your customers.

On the roadmap

  • SSO/SAML and audit-log export for enterprise plans.
  • Bring-your-own-key model access.
  • SOC 2 program as we grow — the controls above are designed with that path in mind.

Responsible disclosure

Found a vulnerability? Email security@hiredhands.dev. We respond within 48 hours, and we won’t pursue action against good-faith research that respects user data and service availability.