← HomeWhat we won't do What we will do The 9 hard rules Current certifications and reviews Contact Data residency, retention, deletion Subprocessors Security posture Policies
Trust
These are the load-bearing promises behind Hasb. They are enforced in the code, documented in our policies, and updated when the operating posture changes.
- · No AI training on your data. Provider calls use no-training controls, and subprocessors are bound by data-processing terms.
- · No filing to government portals. We prepare; a licensed person submits.
- · No specific securities or crypto advice.
- · No selling of your data, ever.
- · Personal-tier originals delete 24 hours after upload (admin-tunable). Books retain structured data.
- · Every number on every generated document traces to a transaction ID. No exceptions.
- · Hash-chained audit log. You can verify the chain yourself.
- · Tenant isolation enforced at the database layer via Row-Level Security.
- · Customer-visible record of every break-glass access event by Hasb staff.
- · Generated document numbers must trace back to posted transaction lines.
- · Tenant data is isolated in the database with RLS and least-privilege roles.
- · Hasb prepares government and tax documents; it never files to a government portal.
- · Customer Data is not used to train AI models.
- · Personal-tier uploaded originals are scheduled for deletion after 24 hours.
- · Money is stored and calculated as integer fils, never floating point.
- · Government and audit documents keep the fixed three-section structure.
- · Database access uses the narrowest role that can do the job.
- · Audit logs are append-only and hash-chained; past entries cannot be edited or deleted.
- · TLS certificate: Sectigo commercial DV for hasb.ai and www.hasb.ai, renewed automatically through certbot.
- · Security certifications: SOC 2 Type II and ISO/IEC 27001 are roadmap items, not current certifications.
- · External penetration test: required before public launch; the summary and date are not yet published.
- · Legal policies: Terms, Privacy, DPA, Security, Cookies, AUP, and Subprocessors are live with 13 May 2026 effective dates.
- · UAE outside-counsel review bundle was generated on 14 May 2026; final lawyer and tax-agent sign-offs remain launch gates.
- · Privacy and subject-rights requests: dpo@hasb.ai.
- · Legal notices and policy questions: legal@hasb.ai.
- · Security reports: security@hasb.ai.
- · Security PGP key: security.asc (fingerprint 544C 9E13 8DE1 FFEB ACB0 882C 052B 858B B02F 0308).
- · Acceptable-use abuse reports: abuse@hasb.ai.
- · Customer Data is processed on Hasb production infrastructure and by listed subprocessors in UAE / EMEA, EU, UK, US, and global-edge locations; Hasb does not claim UAE-only residency.
- · Personal-tier source originals delete after 24 hours from upload; structured bookkeeping data stays in the books.
- · Active books and business documents are retained while the account is active, unless deletion is requested and no statutory retention rule applies.
- · Production Customer Data deletion completes within 90 days after account deletion, with encrypted backups expiring on their retention cycle up to 35 days later.
- · Audit logs are retained for 7 years; billing records are retained for 10 years to satisfy UAE recordkeeping requirements.
- · Ollama Cloud — hosted LLM inference for Hasb AI chat replies.
- · Anthropic — standby LLM inference, used only if explicitly selected.
- · Google Cloud Document AI — OCR and structured-field extraction.
- · DigitalOcean — compute, networking, object storage, and backups.
- · Cloudflare — CDN, DDoS protection, WAF, and inbound email routing.
- · Self-hosted Postfix + OpenDKIM — outbound transactional email.
- · Stripe — card processing, subscription billing, and tax handling.
- · Sentry — pseudonymised crash and performance telemetry, with Customer Data scrubbed before transmission.
- · Five Postgres roles, least privilege everywhere. App runtime never connects as superuser.
- · /admin/* is locked to an IP allowlist + TOTP step-up + dedicated DB role.
- · Continuous WAL archiving to a versioned, encrypted Spaces bucket. Monthly restore drills.
- · 2FA mandatory for every internal user.
- · Pen-test scheduled before public launch.
- · Terms of Service
sha256:708bf25a4b257dee338eaafc4f73c642fe207deec33307ba22971882487de9e0— current public terms. - · Privacy Policy
sha256:4212c0180f80335d79e23f8fd18d5b0c7620111e8ed1b1ffa9ae4485cb98a4e6— no training, no resale, 24-hour personal-tier source-original deletion. - · Data Processing Agreement
sha256:0d45a1d864d0fac9732a2da55cc20defe83205263d24eb95af52840515a9f5ff— processor terms for customer-controlled data. - · Security Statement — control details and roadmap certifications.
- · Subprocessors — current processor list and objection process.
- · Cookie Policy and Acceptable Use Policy.