HuddlBase
TermsPrivacySecuritySupportSign in

Security

HuddlBase Security Posture

HuddlBase protects each workspace with Clerk-backed sign-in, company-scoped Convex authorization, role-aware server checks, private operational data boundaries, and release gates that keep unapproved features closed.

Last updated: July 3, 2026

Sections
  1. Authentication And Workspace Boundary
  2. Company Isolation
  3. Secrets And Environment Controls
  4. Application Security Controls
  5. Vulnerability Reporting
  6. Trust Posture And Review Scope
  7. Customer Responsibilities

1. Authentication And Workspace Boundary

HuddlBase uses Clerk for authentication and organization context. Product data and realtime workflows are served through Convex, where every tenant-owned read and write is checked against the active company membership mirror before data is returned.

2. Company Isolation

  • Company data access is enforced by backend authorization, not by browser-only filtering.
  • The active Clerk organization claim is treated as context; HuddlBase app roles and membership status are rechecked in Convex.
  • Platform-operator authority is separate from customer company administration and is not exposed in ordinary customer navigation.
  • Cross-company, suspended, archived, non-member, and insufficient-role paths fail closed with structured denial states.

3. Secrets And Environment Controls

  • Browser code uses public client keys only; privileged keys stay server-side.
  • Privileged administrative keys are kept on the server and are never shipped to browser code or placed in public configuration.
  • Stripe card data, when paid billing is enabled, is handled by Stripe-hosted flows. HuddlBase does not collect raw card numbers in the application.
  • Secret scanning, dependency checks, environment checks, and release gates are part of HuddlBase's secure development process.

4. Application Security Controls

  • Admin, login, recovery, and setup pages are noindex.
  • Sign-in return paths are restricted to approved app routes.
  • Public sign-up, public money UI, payment actions, and customer billing self-service stay disabled unless explicitly approved for a production release.
  • Global error boundaries must avoid rendering secrets or raw internal details.
  • The health endpoint reports app and backend dependency status without exposing credentials or schema details.

5. Vulnerability Reporting

Security reports should be sent to security@huddlbase.com. HuddlBase triages suspected data exposure, unauthorized access, and service compromise as high-priority incidents.

6. Trust Posture And Review Scope

  • HuddlBase maintains release evidence, security notes, and architecture records so customer security reviews can be answered with current facts rather than marketing claims.
  • Formal certifications such as SOC 2, ISO 27001, HIPAA, and PCI are not claimed unless they are completed and documented.
  • Customer-required MFA, SSO, domain policies, retention terms, or regulated-data support can be handled through the contracting and onboarding process when the required controls are active.
  • Historical records, files, backups, and audit logs follow retention, redaction, and legal-hold controls defined by the applicable agreement and product capabilities.

7. Customer Responsibilities

  • Use strong passwords and unique accounts.
  • Remove inactive users promptly.
  • Do not upload unsupported sensitive or regulated data.
  • Report suspected account compromise, abnormal access, or data exposure immediately.