Security
HuddlBase Security Posture
HuddlBase protects each workspace with Clerk-backed sign-in, company-scoped Convex authorization, role-aware server checks, private operational data boundaries, and release gates that keep unapproved features closed.
Last updated: July 3, 2026
1. Authentication And Workspace Boundary
HuddlBase uses Clerk for authentication and organization context. Product data and realtime workflows are served through Convex, where every tenant-owned read and write is checked against the active company membership mirror before data is returned.
2. Company Isolation
- Company data access is enforced by backend authorization, not by browser-only filtering.
- The active Clerk organization claim is treated as context; HuddlBase app roles and membership status are rechecked in Convex.
- Platform-operator authority is separate from customer company administration and is not exposed in ordinary customer navigation.
- Cross-company, suspended, archived, non-member, and insufficient-role paths fail closed with structured denial states.
3. Secrets And Environment Controls
- Browser code uses public client keys only; privileged keys stay server-side.
- Privileged administrative keys are kept on the server and are never shipped to browser code or placed in public configuration.
- Stripe card data, when paid billing is enabled, is handled by Stripe-hosted flows. HuddlBase does not collect raw card numbers in the application.
- Secret scanning, dependency checks, environment checks, and release gates are part of HuddlBase's secure development process.
4. Application Security Controls
- Admin, login, recovery, and setup pages are noindex.
- Sign-in return paths are restricted to approved app routes.
- Public sign-up, public money UI, payment actions, and customer billing self-service stay disabled unless explicitly approved for a production release.
- Global error boundaries must avoid rendering secrets or raw internal details.
- The health endpoint reports app and backend dependency status without exposing credentials or schema details.
5. Vulnerability Reporting
Security reports should be sent to security@huddlbase.com. HuddlBase triages suspected data exposure, unauthorized access, and service compromise as high-priority incidents.
6. Trust Posture And Review Scope
- HuddlBase maintains release evidence, security notes, and architecture records so customer security reviews can be answered with current facts rather than marketing claims.
- Formal certifications such as SOC 2, ISO 27001, HIPAA, and PCI are not claimed unless they are completed and documented.
- Customer-required MFA, SSO, domain policies, retention terms, or regulated-data support can be handled through the contracting and onboarding process when the required controls are active.
- Historical records, files, backups, and audit logs follow retention, redaction, and legal-hold controls defined by the applicable agreement and product capabilities.
7. Customer Responsibilities
- Use strong passwords and unique accounts.
- Remove inactive users promptly.
- Do not upload unsupported sensitive or regulated data.
- Report suspected account compromise, abnormal access, or data exposure immediately.