1. Our Security Commitment
At Hardaway Labs LLC, security is foundational to everything we build. We understand that our users trust us with sensitive health, nutrition, and financial data, and we take that responsibility seriously. This policy outlines the technical and organizational measures we employ to protect your information across all HealthyOne products.
2. Data Encryption
In Transit
All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (HTTPS). We enforce HTTPS-only connections and use HSTS headers to prevent downgrade attacks.
At Rest
Sensitive data stored in our databases is encrypted at rest. Financial credentials, including bank connection tokens, are encrypted using AES-256 encryption with securely managed keys that are never stored alongside the encrypted data.
Key Management
Encryption keys are stored separately from encrypted data and managed through environment-level secrets. Keys are rotated periodically and are never committed to source code repositories.
3. Authentication & Access Control
We implement multi-layered authentication and access controls to protect user accounts:
- Password Security: User passwords are hashed using bcrypt with appropriate salt rounds. We never store plaintext passwords.
- Session Management: Sessions are managed through secure, HTTP-only cookies with automatic refresh and expiration policies.
- Row-Level Security (RLS): Database access is enforced at the row level, ensuring users can only access their own data. Every database query is scoped to the authenticated user.
- API Authentication: All API endpoints require valid authentication tokens. Server-side routes verify user identity before processing any request.
- Principle of Least Privilege: Internal systems and services operate with the minimum permissions necessary to function.
4. Infrastructure Security
Our infrastructure is hosted on industry-leading cloud platforms with robust security measures:
- Hosting: Application servers are hosted on Vercel with automatic SSL certificate management and DDoS protection.
- Database: User data is stored in Supabase (powered by PostgreSQL) with built-in encryption, automated backups, and network isolation.
- Environment Isolation: Development, staging, and production environments are fully isolated. Test data never mixes with production data.
- Automated Backups: Database backups are performed automatically on a daily basis with point-in-time recovery capabilities.
5. Financial Data Protection
For HealthyOne Finances, we implement additional security measures for financial data:
- Plaid Integration: We use Plaid, a trusted financial data aggregator, to securely connect to bank accounts. We never see, store, or have access to your bank login credentials.
- Token Encryption: Plaid access tokens are encrypted with AES-256 before storage and decrypted only on the server side when needed for authorized API calls.
- Server-Side Only: All financial API interactions occur exclusively on the server. Plaid API secrets and access tokens are never exposed to the client/browser.
- Read-Only Access: Our bank connections are read-only. We can view account balances and transactions but cannot initiate transfers, payments, or any financial transactions on your behalf.
- Webhook Verification: Incoming webhooks from financial services are verified for authenticity before processing.
Important
HealthyOne Finances operates in read-only mode. We can never move money, initiate transactions, or make changes to your bank accounts. Your financial data is used solely for cash flow analysis and forecasting.
6. Application Security
- Input Validation: All user inputs are validated and sanitized on both client and server sides to prevent injection attacks.
- CSRF Protection: Cross-Site Request Forgery protections are implemented on all state-changing operations.
- Content Security Policy: We use CSP headers to prevent cross-site scripting (XSS) attacks and unauthorized resource loading.
- Dependency Management: Third-party dependencies are regularly audited for known vulnerabilities and updated promptly.
- Secure Headers: All responses include security headers including X-Content-Type-Options, X-Frame-Options, and Referrer-Policy.
7. Data Retention & Deletion
We retain your data only as long as necessary to provide our services:
- Account Deletion: You may request complete deletion of your account and all associated data at any time by contacting us. We process deletion requests within 30 days.
- Transaction Data: Financial transaction data is retained for as long as your account is active and for up to 90 days after account deletion for audit purposes.
- Audit Logs: Security-relevant events are logged for monitoring and are retained for 12 months.
8. Third-Party Integrations
We carefully vet all third-party services we integrate with. Our current partners include:
- Supabase: SOC 2 Type II compliant database and authentication provider.
- Vercel: SOC 2 Type II compliant hosting platform with built-in edge security.
- Plaid: SOC 2 Type II and ISO 27001 certified financial data aggregator used by thousands of financial applications.
- Sentry: Error monitoring service. Only technical error data is shared; no personal user data is transmitted.
9. Incident Response
In the event of a security incident:
- We will investigate and contain the incident as quickly as possible.
- Affected users will be notified within 72 hours of confirmed unauthorized access to personal data.
- We will provide clear information about what happened, what data was affected, and what steps we are taking.
- We will cooperate with relevant authorities as required by law.
- Post-incident reviews are conducted to prevent recurrence.
10. Vulnerability Disclosure
We welcome responsible security research. If you discover a security vulnerability in any HealthyOne product, please report it to us at security@hardawaylabs.com. We ask that you:
- Provide sufficient detail for us to reproduce and fix the issue.
- Allow us reasonable time to address the vulnerability before public disclosure.
- Do not access or modify other users' data during your research.
We commit to acknowledging receipt of vulnerability reports within 48 hours and providing status updates as we work toward a fix.
11. Compliance & Standards
Our security practices are guided by industry standards and frameworks:
- OWASP Top 10 — we actively protect against the most common web application security risks.
- SOC 2 principles — our practices align with Service Organization Control security criteria.
- CCPA/CPRA — we comply with California consumer privacy regulations.
- We are committed to achieving formal security certifications as the company scales.
12. Contact Us
If you have questions about our security practices or want to report a security concern:
Hardaway Labs LLC
Security: security@hardawaylabs.com
General: support@healthyoneapp.com
Website: healthyoneapp.com
We respond to all security inquiries within 48 hours.