How we protect your project.

Accounts are managed by Supabase Auth. Sessions are signed JWTs stored in secure, HTTP-only cookies. Sensitive re-authentication steps up to a one-time code emailed to you when it's been more than 24 hours since your last full sign-in, and sessions sign out automatically after a period of inactivity.

Every data table enforces Postgres Row-Level Security: reads are scoped to the people on a project, by role. A family viewer can't see invoices; one subcontractor can't see another's documents unless they're explicitly shared. Writes flow through server actions that check authorization in code and record load-bearing events to an append-only audit log.

These boundaries aren't just asserted — they're verified by an automated policy-test suite that runs in our CI against a real database on every change.

Uploaded files (drawings, documents, photos, receipts) live in object storage that is never publicly reachable. Files are never served from a public URL. Every download passes through a permission check and is then handed a short-lived (5-minute) signed link — so a leaked link goes stale almost immediately.

All traffic is encrypted in transit with TLS at the edge. Your database and uploaded files are encrypted at rest by our managed infrastructure providers.

Project data lives in managed Postgres and object storage run by our infrastructure providers. We use soft-deletes throughout — records are retained and recoverable rather than destroyed on delete — and you can export a full copy of any project at any time. Automated daily database backups are enabled as we scale our hosting tier.

You can export a complete archive of any project — every record plus all of its files — at any time. Leaving the platform never means losing your history.

Service credentials follow least privilege. Our codebase is scanned for committed secrets on every change, and every change runs through typed, linted, and tested continuous integration before it ships.

We believe in being precise. nearhud is in private beta. We are notyet SOC 2 certified (it's on our roadmap), we don't run a paid bug-bounty program yet, and multi-factor authentication today is limited to the emailed step-up code described above. We'll update this page as that changes.

Found a vulnerability? Email security@nearhud.com. We welcome good-faith research and won't pursue researchers who act responsibly and give us a reasonable window to fix issues before disclosure.