Security at HDGELabs
Our customers are Indian SMBs handling their own customers' conversations and call recordings. Six guardrails govern how we hold that data.
Encryption in transit & at rest
All traffic is HTTPS/TLS 1.3. Databases (Neon for HDGEbot, Supabase for HDGEcalls) encrypt data at rest with AES-256. Call recordings in Supabase Storage are encrypted at rest and signed-URL gated.
Tenant isolation
Multi-tenant. Every row is gated by a tenant_id (HDGEbot) or a Supabase RLS policy keyed to the authenticated company_id (HDGEcalls). One tenant can never see another's data.
Authentication
HDGEbot: bcrypt-hashed passwords, Google OAuth, JWT sessions. HDGEcalls: Supabase Auth (email/password, magic link). Per-team API keys for B2B integrations with per-key revocation.
Production access
SSH access to the production droplet is restricted to a small number of key pairs held by named individuals. All deploys go through GitHub Actions with required reviews; no direct production edits.
Backups
Neon's point-in-time recovery (last 7 days) on HDGEbot. Supabase's daily snapshots on HDGEcalls (last 7 days, longer on paid Supabase tiers).
Billing security
All payments processed by Polar.sh. We never see card details. Webhooks signed with HMAC and verified on receipt.
Reporting a vulnerability
Found something? Please email security@hdgelabs.com with reproduction steps. We acknowledge within 48 hours and patch critical issues within 7 days. We do not currently run a paid bounty programme, but we credit reporters in our changelog with consent.
Last reviewed: June 2026