security
Trust isn't asettings page.
Hello Native AI is built so security is the default — not a compliance checkbox bolted on afterward. This page describes how we handle your data, your tenant data, and the OAuth credentials you connect.
six things, one platform
Multi-tenant isolationEvery record scoped to an organization at the database layer. Service-to-service calls require a signed shared secret. Auth tokens are short-lived and scoped to a single organization.
Encryption at rest and in transitTLS on every public endpoint. AES-256 at rest. Field-level encryption for OAuth tokens, API keys, payment metadata, and message bodies.
OAuth token handlingGoogle OAuth tokens encrypted, scoped per organization, never logged. Customer can revoke at any time from the dashboard or Google's account permissions page.
Audit logsEvery administrative action, dashboard mutation, and integration call logged with actor, timestamp, and target. Exportable on demand.
Role-based access controlOwner, admin, editor, viewer roles with granular per-vertical module permissions. Per-organization invitations expire after first use.
No PHP, no pluginsTenant sites are Next.js 16 codebases. No PHP runtime, no plugin architecture, no plugin attack surface. Patched once at the platform layer means patched everywhere.
0cross-tenant data incidents in production
AES-256encryption at rest, TLS in transit
72hincident notification SLA per DPA
security & compliance
What security teams ask before signing.
How is data isolated between tenants?
Every operational record on the platform is scoped to an organization at the database layer. Reads and writes that don't include the organization scope are rejected by the data-access layer. Cross-tenant reads have never happened in production, and we run automated checks on every change to keep that record.
Where do you store Google OAuth tokens?
Refresh and access tokens are stored encrypted at rest in our primary database, scoped to the connecting organization. Tokens are never written to logs or shared with third-party services. You can revoke access at any time at myaccount.google.com/permissions or from your Hello Native dashboard at /dashboard/core/integrations/google.
What's the policy on Google user data per Limited Use?
We use Google data only to provide the user-facing features the customer connected the integration for. We don't use Google data to train AI models. We don't transfer it to third parties except to provide or improve user-facing features, for security, or to comply with law. We don't allow humans to read it except with explicit consent, for security, by legal obligation, or for aggregated/anonymized analytics. Full disclosure on /privacy.
How are credentials and API keys protected?
Sensitive fields including OAuth tokens, third-party API keys, payment-processor secrets, and integration credentials are encrypted at rest. Decryption happens in-memory at the time of use; we don't expose plaintext to logs, errors, or analytics.
What's the encryption story end-to-end?
TLS in transit on every public endpoint. AES-256 at rest for the primary database. Field-level encryption for sensitive columns inside the database. Backups encrypted at rest using rotating keys.
How do you handle Personally Identifiable Information (PII) and PCI-scope data?
PII (names, emails, phones, addresses) is stored in tenant-scoped tables with field-level encryption on the most sensitive columns. We do not store payment-card numbers; payments are handled by Stripe directly via tokenized checkout, which keeps Hello Native out of PCI scope.
What's your incident response process?
If we detect or are notified of a security incident affecting customer data, we triage immediately, notify affected customers within 72 hours, and publish a remediation post-mortem. Email security@hellonative.ai (forwards to founder) to report a suspected vulnerability or incident.
Are you SOC 2 / ISO 27001 / HIPAA compliant?
We are not currently certified under SOC 2 or ISO 27001. Our security controls map to the most common SOC 2 Type 1 control families (access, encryption, monitoring, change management). We are not a Business Associate under HIPAA and the platform should not be used to process Protected Health Information.
Can I get a Data Processing Addendum (DPA)?
Yes. Email info@hellonative.ai with your organization name and we'll send our standard DPA, which incorporates Standard Contractual Clauses for international transfers.
What happens if you're acquired or shut down?
Hello Native commits to providing a 60-day data export window in any change-of-control scenario. Tenant websites are real Next.js codebases that customers can self-host independently. The shutdown clause is in our Terms (§12).
report a vulnerability
Email security@hellonative.ai. Encrypted reply, no judgment, fast triage.
We don’t currently run a public bug-bounty program but we acknowledge every report and credit researchers in our security notes (with consent).
Email security@hellonative.ai