Hubalot Security Policy

Our Security Philosophy

At Hubalot, security is not a feature — it's the foundation.

Every architectural decision, every line of code, and every system design choice is made with data protection, privacy compliance, and user control at its core.

We operate under two fundamental principles:

1. Secure by Default: Security measures are built-in and active from the moment you create an account—not optional add-ons
2. Principle of Least Privilege: Only the minimum necessary access is ever granted to any user, system, or process

Our commitment: Your data security is our highest priority. We implement defense-in-depth strategies, continuous monitoring, and proactive threat mitigation to ensure your information remains protected at all times.

Security Architecture Overview

Hubalot's security architecture is built on multiple overlapping layers of protection, ensuring that even if one layer is compromised, additional safeguards remain in place.

Defense-in-Depth Strategy

1. Data Encryption & Protection

Encryption is applied at every stage of the data lifecycle—at rest, in transit, and during processing.

1.1 Encryption at Rest

All stored data is encrypted using military-grade encryption:

Database encryption:

• AES-256 encryption for all database records
• Separate encryption keys per data classification level
• Encrypted database backups with secure key management
• Regular key rotation following industry best practices

File storage encryption:

• All uploaded files encrypted with AES-256 before storage
• Unique encryption keys per user where feasible
• Encrypted file metadata and indexes
• Secure deletion with cryptographic erasure

What we encrypt:

• User documents and files
• Chat history and conversation data
• Enhanced Memory indexes and embeddings
• User profiles and account information
• API keys and OAuth tokens
• Billing information (tokenized)
• System logs containing sensitive data

1.2 Encryption in Transit

All data transmitted between systems is protected:

TLS 1.3+ encryption:

• All browser-to-server communication uses TLS 1.3 or higher
• Perfect Forward Secrecy (PFS) enabled
• Strong cipher suites only (no deprecated algorithms)
• HSTS (HTTP Strict Transport Security) enforced
• Certificate pinning for critical connections

API communication:

• All third-party API calls encrypted via TLS 1.3+
• Mutual TLS (mTLS) for high-security integrations
• Encrypted payloads for sensitive data transmission
• Secure webhook delivery with signature verification

1.3 Application-Layer Encryption

• Critical PII encrypted at the application layer before database storage
• OAuth tokens and API keys encrypted with separate key hierarchy
• Payment information tokenized and encrypted (handled by PCI-compliant processors)

Encryption key management:

• Hardware Security Modules (HSMs) or cloud KMS for key storage
• Key rotation schedules (90-day rotation for high-sensitivity keys)
• Separate encryption keys for different data classifications
• Multi-party key management for critical systems
• Secure key backup and recovery procedures

2. Access Control & Authentication

Strict controls ensure only authorized users and systems can access data.

2.1 Row-Level Security (RLS)

Database-level isolation prevents cross-user data access:

Implementation:

• PostgreSQL Row-Level Security (RLS) enforced on all user data tables
• Every database query automatically filtered by user ID
• No user can view, modify, or delete another user's data
• Database-level enforcement (not just application logic)
• Separate schemas for multi-tenant isolation where applicable

2.2 Authentication & Session Management

Authentication system:

• NextAuth.js for secure, industry-standard authentication
• Bcrypt/Argon2 password hashing (never plain text)
• Minimum password requirements (12+ characters, complexity rules)
• Account lockout after failed login attempts
• Password breach detection (integration with HaveIBeenPwned API)

Multi-Factor Authentication (MFA):

• TOTP-based MFA available for all accounts
• SMS-based MFA as backup option
• Recovery codes for account recovery
• MFA enforcement available for Enterprise plans

Session security:

• Secure, HTTP-only cookies (not accessible via JavaScript)
• Short session lifetimes (24 hours for standard users)
• Automatic session expiration on inactivity (30 minutes)
• Session invalidation on password change or security events
• Device fingerprinting for anomaly detection

3. File & Document Security

Uploaded files and documents are protected with multiple security layers.

3.1 Private Storage Architecture

Storage implementation:

• Supabase Storage with private bucket configuration
• No direct URL access to files (all requests authenticated)
• Files stored with randomized, non-guessable identifiers
• Separate storage buckets per data classification
• Geographic redundancy for disaster recovery

3.2 Signed URL Access

Temporary, expiring URLs for secure file access:

1. User requests access to their file
2. Server generates a cryptographically signed URL valid for 15 minutes
3. URL includes authentication token and expiration timestamp
4. After expiration, URL becomes invalid and cannot be reused
5. New signed URL required for each access

3.3 File Upload Security

Upload validation:

• File type verification (MIME type and magic number checking)
• File size limits per plan (Free 1GB, Pro 10GB, Elite 50GB total)
• Virus and malware scanning
• Content sanitization for document formats
• Filename sanitization (prevent directory traversal attacks)

4. Third-Party Integration Security

Secure connections to external services with user consent and minimal permissions.

4.1 OAuth-Only Authentication

We never request or store your passwords for external services:

• All integrations use industry-standard OAuth 2.0 flows
• Users authenticate directly with the service provider
• Hubalot receives only an access token—never your password
• Tokens encrypted and stored securely
• Tokens revocable at any time from account settings

4.2 Scope Minimization

We request only the minimum permissions necessary for each integration:

Google Drive:

• Scope: https://www.googleapis.com/auth/drive.file
• Access: Only files you explicitly select via Google Drive Picker

Gmail:

• Scope: https://www.googleapis.com/auth/gmail.readonly (Restricted Scope)
• Access: Individual emails you choose to summarize

4.3 User Consent & Transparency

Consent flow:

1. User initiates integration (clicks "Connect Google Drive")
2. Clear explanation of what data will be accessed and why
3. User redirected to service provider for authentication
4. User explicitly grants permissions
5. Hubalot receives access token only after user approval

4.4 Gmail Restricted Scope Compliance

Special safeguards for Gmail integration:

• No background syncing or automatic email ingestion
• Individual email access only when user explicitly requests summarization
• No bulk operations
• Limited retention: Only AI-generated summaries stored, not raw email content
• Dedicated AI processor: Gemini AI is the sole processor for Gmail content
• User control: Users can delete summaries at any time

5. Search & Enhanced Memory Security

Intelligent search powered by secure, privacy-preserving architecture.

5.1 Hybrid Search Privacy

• Vector embeddings generated from sanitized text (PII removed/masked)
• Encrypted original documents remain separate from search indexes
• Metadata-only indexing for highly sensitive files (user-configurable)
• User-scoped indexes (no cross-user search capabilities)

5.2 No AI Model Training

Your data is never used to train third-party AI models:

• Data Processing Agreements (DPAs) with all AI providers
• Explicit prohibition on using customer data for model training
• API endpoints configured to exclude data from training datasets
• Regular audits of AI provider compliance

5.3 Encrypted Originals

Original files and conversations remain encrypted and isolated: Search indexes stored separately from encrypted originals. Decryption occurs only when user explicitly requests document content.

6. Application Security

Secure coding practices and proactive vulnerability management.

6.1 Secure Development Lifecycle (SDL)

Security integrated into every phase:

• Design phase: Threat modeling, security requirements, PIAs
• Development phase: Secure coding standards, code review, SAST, dependency scanning
• Testing phase: DAST, penetration testing, security QA
• Deployment phase: Automated security checks, IaC scanning, secrets management
• Maintenance phase: Regular updates, continuous monitoring, incident response

6.2 Input Validation & Sanitization

Protecting against injection attacks:

• Server-side validation for all user inputs
• Whitelist-based validation
• SQL injection prevention via parameterized queries
• XSS prevention via output encoding and CSP
• Command injection prevention

6.3 OWASP Top 10 Protection

Comprehensive mitigation of critical web application security risks including Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable Components, Authentication Failures, and more.

6.4 API Security

Protecting API endpoints:

• API key or OAuth token required for all requests
• Rate limiting per API key/user
• IP whitelisting for sensitive endpoints (optional)
• CAPTCHA challenges for suspicious activity
• CDN-level DDoS protection

7. Infrastructure & Network Security

Hardened infrastructure with multiple layers of defense.

7.1 Cloud Infrastructure Security

• Virtual Private Cloud (VPC) with isolated subnets
• Security groups and network ACLs
• Private subnets for databases (no public internet access)
• Bastion hosts for secure administrative access
• Immutable infrastructure

7.2 Network Security

• Web Application Firewall (WAF)
• Network segmentation
• IDS/IPS systems
• DDoS protection
• Threat intelligence feeds

7.3 Database Security

• Private subnets (no direct internet access)
• IAM-based authentication
• Encryption at rest (AES-256)
• Encryption in transit (TLS)
• Automated daily backups
• Geo-redundant backups

8. Monitoring, Logging & Incident Response

Continuous vigilance and rapid response to security events.

8.1 Security Monitoring

24/7 monitoring for threats:

• SIEM system aggregating logs from all sources
• Anomaly detection using machine learning
• Threat intelligence integration
• User behavior analytics
• Infrastructure monitoring

8.2 Comprehensive Audit Logging

What we log:

• Authentication events (logins, failed attempts, MFA, password changes)
• Authorization events (permission grants, role changes)
• Data access (file views, downloads, uploads, deletions)
• API calls (endpoint, user, timestamp, IP address)
• Integration activity (OAuth grants, file imports)
• Administrative actions
• Security events (firewall blocks, IDS alerts)

Log properties:

• Immutable: Logs cannot be modified (append-only)
• Encrypted: Logs encrypted at rest
• Tamper-evident: Cryptographic hashing
• Retained: 1 year retention

8.3 Incident Response Plan

Incident response phases:

1. Preparation: Plan documented, team roles defined, tools configured
2. Detection & Analysis: Incident detected, severity assessed, evidence collected
3. Containment: Isolate affected systems, block threats, preserve evidence
4. Eradication: Remove malware, patch vulnerabilities, reset credentials
5. Recovery: Restore systems, verify integrity, monitor for re-compromise
6. Post-Incident: Incident report, user notification, process improvements

8.4 Breach Notification Procedures

Notification timeline:

• Internal notification: Immediate
• User notification: Within 72 hours (GDPR requirement)
• Regulatory notification: Within 72 hours to data protection authorities

9. Compliance & Standards

Adherence to global security and privacy regulations.

9.1 Regulatory Compliance

Hubalot complies with:

• GDPR: Data minimization, user rights, breach notification, DPO appointed
• CCPA/CPRA: Right to know, delete, opt-out, non-discrimination
• PIPEDA: Canadian data protection
• LGPD: Brazilian data protection
• UK GDPR: Post-Brexit UK data protection

9.2 Security Standards & Certifications

• SOC 2 Type II: In progress
• ISO 27001: Roadmap
• GDPR compliance: Achieved
• CCPA compliance: Achieved

9.3 Google API Services Compliance

Full adherence to Google API Services User Data Policy: Hubalot's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

9.4 Third-Party Security Assessments

Independent validation:

• Penetration testing: At least annually
• Vulnerability assessments: Continuous scanning
• Bug bounty program: Community-driven security
• Security audits: Third-party code and configuration reviews

10. User Security Controls

Empowering users with tools to protect their own data.

10.1 Account Security Settings

• Multi-Factor Authentication: Enable TOTP or SMS-based MFA
• Password management: Change password, password strength indicator
• Session management: View active sessions, revoke sessions
• Login notifications: Email alerts for new device logins

10.2 Data Portability & Deletion

• Data export: Export all data in JSON, CSV, or PDF format
• Delete individual items: Files, conversations, memory entries
• Delete account: Permanently delete all data within 30 days

10.3 Integration Management

• Integration dashboard: View all connected services
• One-click disconnect: Revoke access instantly
• Activity logs: See integration actions

11. Employee Security & Training

Ensuring Hubalot employees uphold the highest security standards.

11.1 Employee Access Controls

• Principle of Least Privilege: Minimum access necessary
• Just-in-Time access: Time-limited production access
• Role-based access: Engineering, support, security, executives
• Break-glass procedures: Emergency access (fully logged)

11.2 Employee Security Training

• Onboarding training: Security fundamentals, data protection, secure coding
• Ongoing training: Quarterly security updates, annual refresher
• Phishing simulations: Regular testing

12. Business Continuity & Disaster Recovery

Ensuring Hubalot remains available and secure even during disruptions.

12.1 High Availability Architecture

• Multi-region deployment: Primary and secondary regions
• Load balancing: Traffic distributed across servers
• Auto-scaling: Automatic capacity adjustment
• Database redundancy: Primary-replica with automatic failover
• 99.9% uptime SLA for Pro and Elite plans

12.2 Backup & Recovery

Backup schedule:

• Database backups: Continuous + daily full backups
• File storage backups: Daily incremental, weekly full
• Backup retention: 30 days (active), 90 days (deleted accounts)
• Recovery Time Objective (RTO): < 4 hours
• Recovery Point Objective (RPO): < 1 hour

13. Security Roadmap & Continuous Improvement

Hubalot's commitment to evolving security practices.

13.1 Current Security Initiatives

• SOC 2 Type II certification: In progress
• Zero Trust Architecture: Phase 1 complete
• Enhanced anomaly detection: ML models in development
• Bug bounty program: Private program active

13.2 Future Security Enhancements

• Q3 2025: WebAuthn/FIDO2 support, advanced threat protection
• Q4 2025: ISO 27001 certification, E2EE for sensitive files
• 2026: HIPAA compliance, AI-powered security

14. Security Transparency & Reporting

Openness about our security practices and incidents.

14.1 Security Documentation

Available at hubalot.com/security:

• Security Overview (this document)
• Privacy Policy
• Terms of Service
• Compliance certifications
• Security whitepaper

14.2 Transparency Report

Annual disclosure published at hubalot.com/transparency: Government requests, security incidents, account security metrics, takedown requests.

14.3 Status & Incident Communication

Real-time updates at status.hubalot.com: System status, component health, incident history, scheduled maintenance.

15. Contact & Support

Reach Hubalot's security team for questions, concerns, or reports.

15.1 Security Team Contact

For security-related inquiries:

Email: security@hubalot.com
PGP Key: Available at hubalot.com/security/pgp
Response time: 24 hours for acknowledgment, 72 hours for initial assessment

15.2 Vulnerability Reporting

Responsible disclosure process:

1. Report via security@hubalot.com (use PGP for sensitive information)
2. Acknowledgment within 24 hours
3. Assessment within 72 hours
4. Remediation (timeline depends on severity)
5. Coordinated disclosure after 90 days
6. Recognition and/or bug bounty reward

What to include:

• Description of the vulnerability
• Steps to reproduce
• Proof of concept
• Potential impact
• Suggested remediation (optional)

15.3 Other Security Contacts

Privacy inquiries: privacy@hubalot.com
Data Protection Officer: dpo@hubalot.com
Legal notices: legal@hubalot.com
General support: support@hubalot.com

Mailing address:
Hubalot, Inc.
Attn: Security Team
30 N Gould St Ste N
Sheridan, WY 82801
United States

16. Security Summary Table

17. Security Commitment Statement

Hubalot's promise to our users:

• ✓ Security is foundational — Not an afterthought, but built into every decision
• ✓ Your data is yours — We protect it as our highest priority
• ✓ Transparency always — Clear communication about practices and incidents
• ✓ Continuous improvement — Security is never "done"—we're always evolving
• ✓ User empowerment — You have control over your data and privacy
• ✓ Compliance first — We meet or exceed all applicable regulations
• ✓ Rapid response — Fast action and clear communication during incidents
• ✓ Community collaboration — We value responsible disclosure

Security is not a feature at Hubalot—it's our foundation.

18. Acknowledgments

Hubalot's security is strengthened by:

• Security researchers who responsibly disclose vulnerabilities
• Industry standards bodies (OWASP, NIST, CIS) for best practice guidance
• Regulatory authorities (GDPR, CCPA) for privacy frameworks
• Third-party auditors who validate our controls
• Our users who trust us with their data and hold us accountable

Thank you for choosing Hubalot. We take your trust seriously.