FAQ: Data Security and Privacy

Common questions about how HARi CRM protects your data.

Where is my data stored?

Your data is stored on secure servers with enterprise-grade infrastructure. Data residency options are available for organizations with specific geographic requirements.

Is my data encrypted?

Yes. All data is encrypted in transit using TLS 1.3 (the same encryption used by banks). Data at rest is also encrypted using AES-256 encryption.

Who can access my data?

Only users in your organization with valid credentials can access your data. HARi support staff can only access your data with your explicit permission for troubleshooting purposes. We never sell, share, or use your data for advertising.

Do you back up my data?

Yes. Automated backups run daily with a tiered retention schedule (recent dailies + weekly + monthly snapshots). In the event of data loss, we can restore your data to a recent backup point.

What happens to my data if I cancel?

When you close your workspace from Settings → Billing, it enters a 30-day grace period. During those 30 days the workspace becomes read-only — nobody can create or modify records — but you can cancel the closure at any time from the same Billing page and pick up where you left off. After the grace period ends, every record, message, file, and user account is permanently deleted, including from backups. We plan to email an automatic data export before deletion in a future update; until then, please export your workspace yourself during the grace period (see Can I export all my data? below). See How do I close my workspace? for the full flow.

Can I export all my data?

Yes, at any time, in two ways. To export a single entity (Contacts, Companies, Leads, etc.) as a CSV, open that entity’s list view and use the Import button on the toolbar — the same screen handles export. To get a complete copy of your entire workspace — including records, attachments, audit log, and email history — go to Settings → Data Privacy and click Request export. You’ll receive a download link by email within about 15 minutes. See Full workspace export for details. You always own your data and can take it with you.

How do you handle passwords?

Passwords are hashed using industry-standard algorithms (bcrypt). We never store passwords in plain text. Even HARi administrators cannot see user passwords.

Do you support two-factor authentication (2FA)?

2FA is on the roadmap. Today, account access is protected by bcrypt-hashed passwords, JWT access + refresh tokens, rate-limited login attempts, and per-tenant database isolation. Contact us if mandatory 2FA is a requirement for your rollout.

HARi is designed with privacy by design. You can delete individual records, export all personal data, and manage consent — the core capabilities needed for GDPR compliance. We also offer a Data Processing Agreement (DPA) for organizations that require one.

How do I report a security concern?

If you discover a potential security vulnerability, please contact us immediately. We take all security reports seriously and respond within 24 hours.

Are uploaded photos and files secure?

Yes. All uploaded files (photos, documents) are stored in a private S3-compatible bucket. They are never publicly accessible — every file request requires a valid authentication token. Files are served with strict security headers (X-Content-Type-Options: nosniff, Content-Security-Policy: default-src 'none') to prevent content injection.

Each tenant’s files are stored in a separate directory and can only be accessed by authenticated users of that tenant. Even if someone guesses a file URL, they cannot access it without a valid session.

Still have questions?

Contact our team for detailed security documentation or to discuss specific compliance requirements for your organization.