Security is built into Harborne AI from the ground up. This page summarises our technical and organisational measures. It complements our Privacy Policy and Data Processing Agreement.
1. Where your data is stored
Customer data is hosted with our managed cloud database and storage provider in the United Kingdom / European Union region. Where any processing happens outside the UK/EU (for example a third-party AI provider), we rely on UK adequacy regulations, the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as described in our Privacy Policy.
2. Encryption at rest
Data stored in our database, file storage and backups is encrypted at rest by our infrastructure providers using AES-256 (or stronger). Encryption keys are managed by those providers and rotated in line with their key-management practices.
On top of that, the most sensitive secrets - the access tokens for any third-party services you connect (such as your messaging channels and calendar) - are additionally encrypted by the application with AES-256-GCM before they are written to the database, so they are never stored in readable form.
3. Encryption in transit
All connections to the Service are encrypted with TLS 1.2 or higher - the web app, the APIs, the real-time voice WebSocket and every call to our providers. We enforce HTTPS with HSTS, and modern security response headers (no MIME sniffing, clickjacking protection, strict referrer policy).
4. Personal data & data minimisation
Because Harborne AIis a receptionist/CRM, some personal data is intentionally identifiable - your customers’ names, emails, phone numbers, and the calls, messages and transcripts they exchange with your AI. We hold this on your behalf, under a lawful basis you control, so your AI can do its job. We minimise everything else: we don’t sell data, we keep only what the Service needs, operational logs are short-lived, and we don’t use your or your customers’ content to train third-party AI models. Sensitive special-category data should not be sent through the Service unless separately agreed (see the DPA).
5. Access controls
- Tenant isolation:every account’s data is protected by row-level security so users can only ever access their own data.
- Authentication: accounts are protected by secure sign-in, with optional two-factor authentication (2FA) using an authenticator app - we prompt you to enable it and you can turn it on at any time from your account settings. Administrative/back-end access uses least-privilege, server-side credentials that are never exposed to the browser.
- Audit logging:security-sensitive actions on your account (such as data exports, password and 2FA changes, deletion requests and new integrations) are recorded to a tamper-resistant audit trail, which you can review under Settings → Security.
- Abuse protection: public endpoints are rate-limited and inbound webhooks are signature-verified, so the Service is protected against floods and forged requests.
- Personnel: only a small number of authorised staff can access production systems, on a need-to-know basis, and provider access is logged.
6. Data retention
We don’t keep data forever. Records are automatically deleted once they pass their retention period:
- Conversations, recordings & transcripts: up to 24 months after creation, or until you or your customer asks us to delete them.
- Account & billing records: the life of your account, then up to 7 years for tax and accounting records.
- Operational logs: up to 90 days.
You or your customers can request earlier deletion at any time - see your Privacy Policy rights. You can also export a copy of your data and request account deletion yourself, directly from Settings → Privacy & data, without having to email us.
7. Service reliability
Production runs over HTTPS behind a managed reverse proxy. We monitor a health endpoint with external uptime checks, capture application errors with alerting on spikes, and watch our scheduled jobs with a heartbeat so a stalled scheduler is detected quickly. Our backup and disaster-recovery process is documented and covers point-in-time database recovery.
8. Breach response
We maintain a written incident-response process. If we become aware of a personal data breach, we will: contain and investigate it; assess the risk to individuals; and, where required, notify the ICO within 72 hours of becoming aware, and inform affected customers and individuals without undue delay. As our processor obligations require, we will give you the information you need to meet your own notification duties. Report a suspected issue to privacy@harborne.ai.
9. Subprocessors & third-party providers
We use vetted subprocessors to deliver the Service, each under a data processing agreement with appropriate safeguards. We do not permit AI providers to train their general models on your content.
| Provider | Purpose |
|---|---|
| Supabase | Database, authentication and file storage (encrypted at rest) |
| Twilio | Phone numbers, calls and SMS |
| OpenAI | Language model that powers the AI’s replies |
| Deepgram | Speech-to-text and standard voice synthesis |
| Cartesia | Advanced voice synthesis |
| ElevenLabs | Premium voice synthesis |
| Mailgun | Transactional and campaign email delivery |
| Stripe | Subscription billing and payments (PCI DSS compliant) |
We carry out due diligence on our providers and review their security posture and certifications (such as SOC 2 / ISO 27001) where available. For our current subprocessor list or copies of relevant documentation, contact dpo@harborne.ai.
Contact
Security questions or to report a vulnerability: privacy@harborne.ai.