Security at haih

haih is hosted on Vercel's edge network with Supabase as our database layer. All connections use TLS 1.3 encryption in transit. Data at rest is encrypted using AES-256 on Supabase's managed PostgreSQL infrastructure.

• TLS 1.3 for all client-server communication
• AES-256 encryption at rest for all database records
• Supabase Row Level Security (RLS) enforced on every table
• API keys and secrets stored in environment variables, never in code
• Database backups encrypted and retained for 30 days

Every user on haih — buyer and seller — goes through identity verification. This is the foundation of the lobby model: you know who's knocking because we've already checked.

For Sellers:

• Work email verification required (no personal email providers accepted)
• Company domain matching against known business registries
• Profile review before activation — name, title, company validated
• Verified seller badge displayed on all outbound lobby cards
• Reputation score visible to buyers before they accept a connection

For Buyers:

• Work email verification with three-layer validation (free provider block, generic prefix block, ambiguous prefix warning)
• Company association verified through email domain
• Lobby capacity limits prevent inbox flooding — max 10 sellers at a time
• Buyers control who enters; no seller can bypass the lobby gate

The lobby isn't just a product feature — it's a security architecture. Unlike open platforms where anyone can message anyone, haih enforces a permission layer between every interaction.

• Sellers cannot email, call, or message buyers directly without lobby approval
• Buyers set their own lobby capacity (5-20 max concurrent sellers)
• Auto-decline rules let buyers filter out unqualified sellers automatically
• Every lobby knock is logged with timestamp, identity, and source for audit
• Declined sellers cannot re-knock without buyer invitation

haih uses Supabase Row Level Security (RLS) to ensure users can only access their own data. This is enforced at the database level — not just the application level — meaning even if application code has a bug, the database won't return unauthorized data.

• Sellers see only their own contacts, conversations, and lobby cards
• Buyers see only their own lobby entries, needs, and messages
• Cross-user data access is impossible at the database layer
• Admin access requires service role keys stored in secure environment variables
• All API endpoints verify authentication before processing requests

Messages between buyers and sellers are protected at every step.

• All messages stored in encrypted database with RLS enforcement
• SMS communications sent through Plivo with carrier-verified numbers
• Email notifications sent through Resend with DKIM/SPF/DMARC authentication
• No message content is shared with third parties or used for advertising
• Conversation history is retained only as long as the connection is active

haih uses AI to power features like Ask Seth (live chat on seller cards), AI-drafted outreach, and the morning brief. Here's how we handle AI responsibly.

• AI models (Anthropic Claude) process data in-session only — no training on your content
• Knowledge base documents are scoped per-seller and never shared across accounts
• AI chat conversations are logged per-session with seller visibility only
• Buyer questions in Ask Seth are visible to the seller but not to other buyers
• AI-generated drafts are always reviewed by the seller before sending

haih actively prevents abuse of the communication channels.

• Bounced emails trigger automatic contact deletion — no retries to bad addresses
• Rate limiting on all API endpoints (connection requests, messages, lobby knocks)
• Idempotency checks prevent duplicate form submissions within 60 seconds
• Email validation blocks free providers, generic inboxes, and known spam addresses
• Sellers who violate acceptable use policies are suspended and their lobby cards deactivated

Your data belongs to you — not haih, and not your employer.

• Full data export available: profile, connections, lobby cards, messages, ratings (JSON + CSV)
• Engagement history downloadable as flat CSV for your own records
• Account deactivation is reversible — your profile disappears but data is preserved
• Account deletion is permanent after 30 days — all personal data destroyed
• Seller identity is portable: change companies and your reputation follows you

haih is working toward the following certifications and compliance standards.

• SOC 2 Type II — audit in progress (estimated completion Q3 2026)
• GDPR compliant — data processing addendum available for EU entities
• CCPA compliant — California consumer rights honored on request
• TCPA compliant — all SMS messages require prior express consent with logged opt-in
• CAN-SPAM compliant — all emails include unsubscribe and physical address

In the event of a security incident, haih follows a structured response protocol.

• Dedicated incident response team with on-call rotation
• Affected users notified within 72 hours of confirmed data breach
• Post-incident review published to affected parties with root cause and remediation
• All incidents logged and retained for compliance audit

For security questions, contact security@haih.ai.

For general support, contact support@haih.ai.