HaloX
    Trust Center

    Security built into every layer

    Enterprise-grade controls protecting your customer data, operations, and reputation.

    End-to-end encryption
    Strict tenant isolation
    Database-level access control
    GDPR principles

    Access Control

    Who can see what — enforced at the database layer, not just the UI.

    Row-level Access Control

    Each query is filtered by user and workspace at the database layer (RLS), so unauthorized rows are never returned to the client.

    Full Workspace Isolation

    Each workspace's keywords, content, and analytics are isolated by design — other tenants' data isn't queryable.

    Role-based Permissions

    Admin and Editor roles follow the principle of least privilege, with authorization checks performed server-side on every request.

    Encrypted Secrets Vault

    API keys, OAuth tokens, and integration credentials are stored in an encrypted vault, never exposed to the client or application logs.

    Data Protection

    Multi-layer safeguards across storage, transport, and recovery.

    AES-256 Encryption at Rest

    All workspace data is encrypted at the storage layer using AES-256, the standard trusted by financial institutions worldwide.

    Enterprise-grade storage encryption

    TLS 1.2+ in Transit

    Every dashboard request, API call, and integration is protected by modern TLS encryption.

    All API and dashboard traffic

    Daily Backups + Point-in-Time Recovery

    Automated daily backups with point-in-time recovery let you roll back from accidental deletes or corruption.

    Up to 7-day recovery window

    Global DDoS Protection

    Both marketing and app domains sit behind multi-region edge mitigation against volumetric attacks.

    Multi-region edge mitigation

    AI & Privacy

    How your prompts and analytics data are handled.

    Your Data Isn't Used to Train AI

    OpenAI, Anthropic, and Google Gemini don't train models on API traffic under their default policies. Enterprise plans can add a separate No-Training agreement.

    GA4 / GSC Read-Only Access

    Analytics integrations use OAuth scopes that are read-only by design — we don't modify, sell, or share your data with third parties.

    Right to Delete

    Account deletion requests are processed within 30 days. Backups expire on the standard retention cycle thereafter.

    Compliance

    Built on certified, audited platforms — with transparency on what we provide today.

    SOC 2 Type II Cloud Platform

    HaloX runs on a SOC 2 Type II certified cloud platform with continuous independent auditing.

    PCI Level 1 Payments

    Card data never touches our servers. Payments are processed by Stripe, Paddle, and NicePay — all PCI Level 1 certified.

    GDPR Principles

    We follow GDPR principles: data minimization, access, correction, and the right to deletion.

    Certifications listed above apply to the cloud platform and payment processors we rely on. HaloX's own SOC 2 Type II audit is planned for 2026.

    Have a security or procurement question?

    Our team responds to security reviews, DPAs, and Enterprise questionnaires.

    Contact security teamRead Privacy Policy
    Free analysis