Security at HarkLoop

HarkLoop is a multi-tenant platform. Every business record is scoped by organization, and every database query the application makes is bound to the requesting organization. Storage paths are namespaced per organization so files cannot cross tenant boundaries.

User credentials are stored using modern password hashing. Sessions are signed and short-lived. We support secure account recovery flows that cannot be used to bypass tenant boundaries.

Access inside an organization is controlled through role-based access control. Every API endpoint enforces both authentication and the appropriate role permissions before any work is performed.

Data in transit is protected with TLS. Data at rest is encrypted by our infrastructure providers. File storage uses signed URLs that expire automatically so links cannot be reused indefinitely.

HarkLoop runs on managed cloud infrastructure with isolated environments for development, staging, and production. Each environment uses separate credentials, separate databases, and separate storage buckets.

We monitor application errors, performance, and security signals continuously. We have an incident response process for triaging and resolving issues, and we will notify affected customers in line with our legal obligations and contractual commitments.

We use a small set of established subprocessors for hosting, database, file storage, email, error monitoring, and analytics. Each subprocessor is bound by contractual security and confidentiality obligations.

If you believe you have found a security vulnerability in HarkLoop, please email security@harkloop.app with details. We will acknowledge your report and work with you on a fix. We do not pursue legal action against good-faith security research that respects user privacy and avoids service disruption.