Skip to main content
H
havnwright
Legal Hub

Data Security

Last Updated: February 2026

Your Data Security is Our Priority

Havnwright implements industry-leading security practices to protect your renovation project data, quotes, and personal information. We're committed to transparency about how we safeguard your data.

Security Features

Encryption

Active

All data encrypted in transit (TLS 1.3) and at rest (AES-256)

Secure Authentication

Active

Industry-standard password hashing with bcrypt, secure session management

Enterprise Infrastructure

Active

Hosted on Vercel and Supabase with SOC 2 Type II compliance

Data Isolation

Active

Row-level security ensures you only access your own data

Access Controls

Active

Role-based permissions, audit logging, and least-privilege access

Redundant Backups

Active

Automated daily backups with point-in-time recovery

1. Data Protection Overview

We implement multiple layers of security to protect your data throughout its lifecycle - from the moment you enter it to when it's stored and processed.

1.1 Encryption Standards

  • In Transit: All data transmitted via TLS 1.3 (HTTPS)
  • At Rest: AES-256 encryption for stored data
  • Passwords: bcrypt hashing with salt (we never store plain text passwords)
  • API Communications: Encrypted end-to-end

1.2 Infrastructure Security

  • Hosting: Vercel (SOC 2 Type II compliant)
  • Database: Supabase (SOC 2 Type II, ISO 27001)
  • DDoS Protection: Enterprise-grade mitigation
  • Firewalls: Web Application Firewall (WAF) protection

2. Access Controls

2.1 User Data Isolation

We implement Row-Level Security (RLS) at the database level, ensuring:

  • You can only access your own projects and data
  • Other users cannot see or access your information
  • Even our team has limited access to user data

2.2 Authentication

  • Secure session management with automatic timeouts
  • Protection against brute force attacks
  • Secure password requirements
  • Optional two-factor authentication (TOTP) available in account settings

2.3 Team Access

Our team follows strict access policies:

  • Principle of least privilege - only necessary access granted
  • Multi-factor authentication required for all team members
  • Access logging and regular audits
  • Background checks for team members with data access

3. Data Storage & Backups

3.1 Storage Location

  • Primary data stored in EU/UK data centers
  • Redundant storage across multiple availability zones
  • GDPR-compliant data residency

3.2 Backup & Recovery

  • Automated daily backups
  • Point-in-time recovery capability
  • Encrypted backup storage
  • Regular backup testing

4. Application Security

4.1 Secure Development

  • Security-focused code reviews
  • Dependency vulnerability scanning
  • Regular security updates and patches
  • OWASP security guidelines compliance

4.2 Input Validation

  • Server-side validation for all inputs
  • Protection against SQL injection
  • Protection against Cross-Site Scripting (XSS)
  • CSRF token protection

5. AI & Third-Party Security

5.1 AI Processing (Quote Extraction)

When you use AI features to extract quote data:

  • Documents processed in real-time, not stored by AI provider
  • Your data is NOT used to train AI models
  • AI provider (Anthropic) maintains SOC 2 compliance
  • AI processing is optional - manual entry always available

5.2 Third-Party Integrations

All third-party services we use are vetted for:

  • Security certifications (SOC 2, ISO 27001)
  • GDPR compliance
  • Data Processing Agreements
  • Regular security reviews

6. Your Security Responsibilities

Help us keep your data secure:

Best Practices

  • Use a strong, unique password (12+ characters with mixed case, numbers, symbols)
  • Don't share your login credentials with anyone
  • Log out when using shared or public devices
  • Keep your email address current for security notifications
  • Report any suspicious activity immediately

7. Incident Response

7.1 Our Commitment

In the event of a security incident, we will:

  • Investigate and contain the incident immediately
  • Notify affected users within 72 hours (as required by GDPR)
  • Report to the ICO if required by law
  • Provide guidance on protective steps you should take
  • Implement measures to prevent recurrence

7.2 Reporting Security Issues

If you discover a security vulnerability:

  • Email: security@havnwright.com
  • Please provide detailed information about the issue
  • Do not exploit or publicize the vulnerability
  • We appreciate responsible disclosure

8. Compliance & Certifications

8.1 Regulatory Compliance

  • UK GDPR (UK General Data Protection Regulation)
  • Data Protection Act 2018
  • PECR (Privacy and Electronic Communications Regulations)

8.2 Infrastructure Certifications

  • Supabase: SOC 2 Type II, ISO 27001, HIPAA
  • Vercel: SOC 2 Type II, ISO 27001
  • Anthropic: SOC 2, responsible AI practices

9. Contact

For security-related inquiries:

  • Security Issues: security@havnwright.com
  • Privacy Concerns: privacy@havnwright.com
  • General: info@havnwright.com

Our Security Commitment

We continuously invest in security infrastructure, practices, and training. Your trust is essential to our business, and we're committed to earning it through transparent, robust data protection.

© 2026 Havnwright LTD. All rights reserved.