Legal

Security Policy

Last reviewed: April 18, 2026

Security is a shared responsibility. This page summarises how HARi CRM protects customer data, our infrastructure and compliance posture, and how to report a vulnerability.

1. Infrastructure & Data Protection

A practical summary for buyers conducting due diligence. For the legal language, see our Privacy Policy and Data Protection pages.

  • Data residency. Customer data is hosted in the European Union (OVH, Gravelines FR). No data leaves the EU in the course of normal operation.
  • Encryption in transit. TLS 1.3 with HSTS. All traffic to *.haricrm.com is HTTPS-only.
  • Encryption at rest. PostgreSQL native encryption on encrypted block storage. Backups are encrypted.
  • Multi-tenant isolation. Each tenant workspace has its own PostgreSQL database — not a shared-schema row-level-security model. See our multi-tenant architecture write-up for the reasoning.
  • Backups & recovery. Daily automated PostgreSQL backups with point-in-time recovery. Backups retained 30 days.
  • Audit log retention. Every record change is logged with actor, timestamp, and before/after values. Retained for 13 months (partitioned by month for predictable cleanup).
  • Compliance path. GDPR (EU) data subject rights (access, portability, erasure) shipped April 2026. Hong Kong PDPO principles are aligned in parallel.
  • Upcoming. SSO (SAML / OIDC) and SCIM provisioning for the Enterprise tier — scoping published at scoping SSO for a flat-price CRM.
  • Release transparency. Every change ships to the public changelog; security-relevant fixes are called out explicitly.
  • Incident response. Report suspected breaches to security@haricrm.com. We acknowledge within 48 hours and notify affected customers within 72 hours of confirmation, per GDPR Art. 33.

This summary will continue to expand as the product matures. If your procurement team needs a DPA, sub-processor list, or a completed CAIQ/SIG questionnaire, email security@haricrm.com.

2. Responsible Disclosure

HARi operates a coordinated vulnerability disclosure program. We ask researchers to report vulnerabilities privately so we can fix them before public disclosure — protecting customers and giving us a fair chance to respond. In return, we commit to treating researchers fairly, keeping them informed, and crediting their work.

We do not operate a paid bug bounty program. What we offer instead: acknowledgment, credit in our security advisories, and our genuine gratitude.

3. How to Report a Vulnerability

Send your report to security@haricrm.com. Please include:

What to include

  • — A clear description of the vulnerability and its potential impact
  • — Step-by-step reproduction instructions
  • — The affected URL, endpoint, or feature
  • — Screenshots, HTTP logs, or a proof-of-concept if helpful
  • — Your preferred contact for follow-up questions

We acknowledge every report within 48 hours. We aim to triage and provide an initial response within 5 business days. We will keep you updated as we investigate and remediate.

4. Scope

In scope

  • app.haricrm.com — the live HARi CRM application
  • haricrm.com — this marketing site
  • admin.haricrm.com — admin panel (authentication required)

Out of scope

  • — Social engineering of HARi staff or customers
  • — Physical attacks against HARi infrastructure
  • — Denial of service attacks (please don't)
  • — Automated scanner reports without a proof-of-concept exploit
  • — Issues that are already publicly known or disclosed
  • — Vulnerabilities in third-party services we integrate with — report those directly to the relevant vendor

5. Our Commitments

When you report a vulnerability in good faith, we commit to:

  • — Acknowledge your report within 48 hours
  • — Keep you informed as we investigate and remediate
  • — Credit you in our security advisories, unless you prefer to remain anonymous
  • — Not pursue legal action against researchers who act in good faith under this policy
  • — Work with you on a reasonable coordinated disclosure timeline (we aim for 90 days from initial report)

6. Legal Safe Harbor

HARi considers security research conducted under this policy to be authorized. We will not initiate legal proceedings against researchers who comply with the following conditions:

  • — Make a good-faith effort to avoid privacy violations and disruption to services
  • — Access only the minimum data necessary to demonstrate a vulnerability
  • — Do not exfiltrate, store, modify, or delete customer data
  • — Do not disrupt or degrade HARi services for other users
  • — Do not publicly disclose the vulnerability before we have had a reasonable opportunity to respond — we target 90 days from report date

This safe harbor applies only to research activities described in this policy and does not extend to activities that fall outside its scope.

7. Acknowledgments

We look forward to recognising security researchers who help keep HARi CRM safe. If you report a valid vulnerability and consent to being named, we will list you here. We hope to populate this section soon.

8. Contact

Security reports: security@haricrm.com

General inquiries: use the contact form on this site or email hello@haricrm.com

Machine-readable security contact information is published at https://haricrm.com/.well-known/security.txt per RFC 9116.

Security concerns? Email security@haricrm.com

HARi CRM is a product of Blackdurian Limited, Hong Kong.