HHasb·Legal & TrustBack to product

Security Statement

Hasb hosts your books. The trust you place in us is the entire product. This page describes the controls we operate today and the principles we follow when we add new ones. We update it as we improve.

Effective: 13 May 2026Aligned with: ISO/IEC 27001 controls · SOC 2 · UAE PDPL · GDPR
Headline: tenant isolation in the database; least-privilege roles for every service; magic-link sign-in with optional TOTP; an append-only, hash-chained audit log; Hasb staff cannot read your data without leaving a trace.

1. Principles

  • Least privilege. Every component runs with the smallest set of permissions that lets it do its job. No application process connects to the database as a superuser.
  • Tenant isolation. Customer Data is segregated by Postgres Row-Level Security keyed to the authenticated workspace. Every request opens a transaction that sets the scope; queries cannot cross tenants.
  • Default-deny access. No production access is granted to a staff account by default. Access is requested, time-boxed, and audit-logged.
  • Tamper-evident audit. The audit log is append-only with a SHA-256 hash chain. Database triggers reject UPDATE, DELETE, and TRUNCATE on audit rows for every role.
  • No-training, no-resale. Customer Data is not used to train AI models, not sold, not used for advertising — contractually with every subprocessor and operationally inside Hasb.
  • Defence in depth. Edge WAF → IP allow-list on admin paths → per-request session check → step-up confirmation → DB-level RLS → audit log → backups.

2. Authentication & sessions

  • Sign-in by single-use magic link delivered to a verified email address.
  • Magic-link tokens are stored only as SHA-256 hashes server-side and expire in 15 minutes.
  • Session cookie is HttpOnly, Secure (in production), SameSite=Lax, with a 256-bit random identifier.
  • Optional TOTP (time-based one-time-password) two-factor authentication.
  • Step-up confirmation required for administrative and destructive actions (e.g., delete workspace, change billing email, export all data).
  • Rate-limited brute-force protection on magic-link issuance per email and per IP.
  • Click-to-confirm on magic-link callbacks so email-scanner pre-fetch cannot consume the token.

3. Data protection

  • In transit: TLS 1.2+ to the application; TLS 1.2+ where available between services; STARTTLS opportunistic on outbound mail delivery (Gmail / Outlook / Apple destinations always negotiate TLS 1.3).
  • At rest: encrypted block storage on hosting provider; the object-storage bucket for source documents is encrypted server-side.
  • Database: PostgreSQL 16. Five distinct roles — hasb_migrator (BYPASSRLS, used only by migrations), hasb_app (per-request RLS-scoped), hasb_worker, hasb_readonly, hasb_admin. The application runtime never connects as the superuser.
  • Backups: encrypted snapshots taken on a rolling schedule; restore drills run periodically; access to backups is restricted to the on-call engineer plus the security lead.
  • Money is integers in fils. All monetary values are stored as bigint in the smallest currency unit. No floating-point. No rounding drift across reports.

4. Staff access

Hasb staff do not read Customer Data as a matter of course. Access to a tenant only happens under one of the Trust Exceptions in our Privacy Policy(clause 6). Each such access is recorded in the audit log under the responsible staff member's identity and is disclosable to you on written request.

  • Mandatory hardware-token or app-based 2FA on staff identity provider.
  • Background checks for staff with production access where lawful.
  • Quarterly access reviews.
  • SSO with conditional access for admin tooling.
  • No shared production credentials.
  • All shells into production hosts are session-recorded.

5. Audit log & transparency

Every administrative or data-affecting action writes a row into audit_log. The table is append-only: a BEFORE-INSERT trigger computes digest(prev_hash || content, 'sha256') so any tampering with historical rows would break the chain. UPDATE, DELETE, and TRUNCATE are rejected for every database role. You can request the audit trail for your workspace from dpo@hasb.ai.

6. Network & edge

  • Cloudflare WAF + DDoS in front of hasb.ai; bot-fight on admin paths.
  • nginx with HSTS preload, TLS 1.2/1.3, HTTP/2, OCSP stapling, strict CSP on production responses.
  • Admin routes are guarded by a static IP allow-list on top of authenticated session + step-up confirmation.
  • Rate-limit zones at the reverse proxy (auth = 10 req/min, API = 60 req/min) plus app-layer rate limits keyed by user and IP.

7. Email infrastructure

  • Self-hosted Postfix + OpenDKIM on the same host as the application.
  • DKIM signing (2048-bit RSA, mail._domainkey.hasb.ai) on every outbound message.
  • SPF authorising the host IP.
  • DMARC at p=quarantine with reporting to dmarc@hasb.ai; tightening to p=reject after alignment is verified.
  • MTA-STS and TLS reporting published.
  • Alias-only inbound mail routed through Postmark Inbound to configured human inboxes; support and DMARC alias events are audit-logged without raw sender addresses.

8. AI controls

  • Prompts and Customer Data are sent to the AI subprocessor under a processor contract that prohibits training.
  • System prompts forbid the model from claiming to have filed anything with a regulator; the model is instructed that Hasb prepares, the user submits.
  • Document AI processing for OCR is rate-limited per workspace and operates on individual documents, not bulk exports.

9. Incident response

  • Documented runbooks for confidentiality, integrity, and availability incidents.
  • 72-hour notification window for personal-data breaches to affected customers and, where required, to the supervisory authority.
  • Postmortems shared internally; redacted summaries shared with affected customers on request.
  • Bug bounty: report security issues to security@hasb.ai. Please give us reasonable time to fix before public disclosure. We commit to acknowledging your report within 3 working days.

10. Business continuity

  • Off-region encrypted backups.
  • Restore drills exercised on a schedule.
  • Documented RTO and RPO targets — currently RTO ≤ 4 hours, RPO ≤ 1 hour for paid tiers — improving as the platform matures.

11. What we are working on

  • SOC 2 Type II audit.
  • ISO/IEC 27001 certification.
  • Customer-managed encryption keys for enterprise plans.
  • End-to-end encryption for personal-tier source originals.
  • Public bug-bounty programme.

12. Contact

Security issues: security@hasb.ai.
Data protection: dpo@hasb.ai.
Acceptable-use abuse: abuse@hasb.ai.

© 2026 Hasb. Effective 13 May 2026.