Hubalot

Hubalot Security Overview

📧 Email: security@hubalot.com

Our Security Philosophy

At Hubalot, security is not a feature — it's the foundation. Every architectural decision is made with data protection, privacy compliance, and user control at its core.

We follow "Secure by Default" and Principle of Least Privilege approaches, ensuring that only the minimum necessary access is ever granted.

Security Layers

1. Data Encryption

  • At Rest: All sensitive data — including files, chat history, and user profiles — is encrypted using AES-256.
  • In Transit: All communication between your browser, our servers, and third-party APIs is encrypted via TLS 1.3 or higher.
  • App-Layer Encryption: Critical user files and PII are additionally encrypted before storage.

2. Access Control

  • Row-Level Security (RLS): Enforces strict per-user access at the database level — no shared or cross-user visibility.
  • Session Security: Managed via NextAuth, ensuring secure authentication and automatic token expiration.
  • Role Segmentation: Admin privileges are limited to designated server-side functions only.

3. File Security

  • Private Storage Buckets: All uploaded files are stored in a private Supabase bucket, accessible only via signed URLs.
  • Signed Access Links: File access links expire automatically, preventing unauthorized reuse.
  • No Public File Hosting: We never expose uploaded file URLs directly.

4. Third-Party Integration Security

  • OAuth-Only Connections: All integrations (Google Drive, Gmail, Dropbox, Notion) use secure OAuth flows.
  • User Consent: No data is accessed without explicit user action (e.g., selecting a specific file or email).
  • Scope Minimization: We request only the minimum API scopes needed for the requested functionality. Dropbox: account_info.read files.metadata.read files.content.read. Notion: read:content.

Gmail Restricted Scope Compliance:

  • No background syncing or mass ingestion
  • Only summaries are stored, never raw email content
  • Gemini AI is the sole processor for Gmail content

5. Search Security

  • Hybrid Search Privacy: Semantic search is powered by sanitized text columns and embeddings, never raw PII.
  • No AI Model Training: We do not allow AI providers to train on your data.
  • Encrypted Originals: The original file and chat data remain encrypted and are never used directly for search.

6. Monitoring & Response

  • Real-Time Threat Detection: Continuous monitoring for anomalies and intrusion attempts.
  • Audit Logs: Every file access, query, and integration event is logged.
  • Incident Response Plan: Established protocols for immediate action in case of a security breach.

7. Compliance & Standards

  • Regulatory Compliance: GDPR, CCPA, SOC 2 (in progress).
  • Google API Services Compliance: Fully aligned with Google's User Data Policy.
  • HIPAA Considerations: PII masking and encryption ensure readiness for handling sensitive health data if applicable.

8. Your Controls

  • Data Portability: Export your data anytime.
  • Full Deletion: Permanently delete all stored data, files, and integrations in one click.
  • Integration Revocation: Disconnect third-party accounts instantly.

Summary Table

LayerProtections
EncryptionAES-256 at rest, TLS 1.3 in transit
Access ControlRLS, session-based auth, role-based limits
File SecurityPrivate buckets, signed URLs, no public access
IntegrationsOAuth-only, scope minimization, user consent
Search PrivacySanitized embeddings, no PII exposure
MonitoringReal-time alerts, full audit logs
ComplianceGDPR, CCPA, Google API policy, SOC 2 in progress

Contact Security Team

📧 Email: security@hubalot.com