Security Overview

How we protect your data with enterprise-grade security measures and industry best practices.

Data Hosting Region

Primary Region: AWS Ireland (eu-west-1) - all customer data remains within the EU.

Infrastructure: AWS provides SOC 2 Type II, ISO 27001, and PCI DSS Level 1 certified infrastructure.

Compliance: GDPR compliant with data residency guarantees and no US data transfers.

Encryption in Transit/At Rest

In Transit

  • • TLS 1.3 for all API communications
  • • HTTPS enforced with HSTS headers
  • • Certificate pinning for mobile apps
  • • End-to-end encryption for WhatsApp messages

At Rest

  • • AES-256 encryption for all databases
  • • Encrypted file storage with AWS KMS
  • • Encrypted backups with separate keys
  • • Hardware security modules (HSMs)

Access Controls & Audit

Employee Access

  • • Multi-factor authentication required
  • • Role-based access control (RBAC)
  • • Principle of least privilege
  • • Regular access reviews

System Access

  • • VPN required for production access
  • • SSH key-based authentication
  • • Session recording and monitoring
  • • Automated access provisioning/deprovisioning

Audit Logging

All system access, data modifications, and administrative actions are logged with tamper-proof audit trails. Logs are retained for 2 years and monitored for suspicious activity.

Backups & Disaster Recovery

Backup Strategy

  • • Automated daily encrypted backups
  • • 30-day retention period
  • • Cross-region backup replication
  • • Point-in-time recovery capability

Disaster Recovery

  • • RTO: 4 hours for critical systems
  • • RPO: 1 hour maximum data loss
  • • Multi-AZ deployment architecture
  • • Quarterly DR testing procedures

Business Continuity

Our infrastructure is designed for 99.9% uptime with automatic failover, load balancing, and redundant systems to ensure continuous service availability.

Responsible Disclosure

We welcome security researchers to help us maintain the security of HeroLink. If you discover a security vulnerability, please report it responsibly.

How to Report

Email: security@herolink.ai

Please include detailed steps to reproduce, potential impact, and any proof-of-concept code. We commit to acknowledging reports within 24 hours and providing updates every 5 business days.

Our Commitment

  • • We will not pursue legal action for good faith security research
  • • We will work with you to understand and resolve the issue quickly
  • • We will recognize your contribution (with your permission)
  • • We will keep you informed throughout the resolution process

Security Change Log

We maintain transparency about significant security updates and improvements to our platform.

Enhanced Encryption Implementation

Dec 2024

Upgraded to TLS 1.3 across all services and implemented additional encryption layers for sensitive data fields.

Multi-Factor Authentication Rollout

Nov 2024

Mandatory MFA implemented for all user accounts and administrative access to production systems.

Security Audit Completion

Oct 2024

Completed third-party security audit with no critical findings. All medium-priority recommendations implemented.