Security & Compliance at Hven
B2B-only visitor identification, encrypted at rest and in transit, hosted exclusively in the EU and UK. Built to satisfy your security review on the first pass.
GDPR compliance
We process visitor identification data on the lawful basis of legitimate interest in B2B contact, in line with the GDPR's Recital 47.
- Lawful basis: legitimate interest for B2B contact data (Article 6(1)(f) GDPR).
- Data subject rights: access, rectification, erasure, portability, and objection — all responded to within 30 days.
- Data Processing Agreement (DPA): available on request from dpo@hven.io.
- Records of processing: we maintain a Record of Processing Activities (ROPA) per Article 30.
- DPO contact: dpo@hven.io for any data-protection enquiry.
- Supervisory authority: UK ICO (Information Commissioner's Office) is our lead authority for the UK.
Data protection
Defence in depth at every layer — transport, storage, and access.
All traffic between visitors, the dashboard, and our backend is forced over TLS 1.3. We disable TLS 1.0 and 1.1 entirely; HSTS is set to 1 year with preload.
All databases use AES-256 envelope encryption. Per-tenant data is logically isolated at the collection level so cross-tenant reads are impossible by design.
Backups are encrypted with separate keys and stored offsite in a different EU region. Daily backups retained for 30 days; weekly backups retained for 1 year.
Database is reachable only via private VPC; no public internet access. All admin operations go through bastion hosts with auditable session recording.
Data location
All visitor and account data lives in the European Union and United Kingdom. We do not transfer customer data outside the EU/UK at any point in the pipeline.
- Primary region: AWS
eu-west-1(Dublin, Ireland) - Backup region: AWS
eu-west-2(London, United Kingdom) - CDN edge: Cloudflare with EU-only data localisation enabled
- No US transfers: the only outbound data flows are to GDPR-compliant sub-processors operating in EU/UK regions or under an adequacy decision.
Access controls
Who can do what, and how we prove it after the fact.
TOTP-based two-factor authentication available on every account; required for owners on Growth+ plans.
Sessions are signed JSON Web Tokens with short lifespans and rotation on privilege change. Tokens are stored in browser localStorage and revocable from the dashboard.
Owner / Admin / Member roles with feature-level gating. Platform admin access is segregated from tenant accounts and requires a separate identity.
All sensitive actions — sign-ins, plan changes, data exports, integration token issuance — are written to an append-only audit log retained for 12 months.
Tracking ethics
We're a B2B visitor intelligence product. Our tracker is built so that, even if it ran on a consumer site, it wouldn't identify individual people.
- Business visitors only. We resolve IP addresses to corporate networks via Apollo; residential and mobile-carrier IPs are dropped at ingest.
- No personal device fingerprinting. No canvas, audio, or font fingerprints. No third-party cookies. The tracker uses a single first-party identifier scoped to your domain.
- No cross-site tracking. We never join visitor records across customer domains. Each tenant's data is its own walled garden.
- ePrivacy directive compliant. Because identification uses IP-to-company lookup rather than cookies, the tracker doesn't require the pre-consent cookie banner under ePrivacy / PECR.
- Honours Do Not Track. Visitors with the
DNT: 1header are silently dropped at ingest.
Apollo data & outreach contacts
When you use the Hot Visitor Outreach feature, we look up decision-maker contact data via Apollo.io. Here's exactly what that means.
- Public B2B contact data only. Apollo's contact database is sourced from public business profiles — LinkedIn-style professional information, not personal data.
- Apollo is a GDPR-compliant data processor. They publish a DPA and operate under the GDPR's legitimate-interest basis for B2B sales prospecting.
- No personal email addresses. We surface work email addresses for contacts in their professional capacity. Personal-domain emails (gmail, hotmail) are filtered out at the API layer.
- Decision-makers only. Outreach only enriches contacts with Director-level or higher seniority titles, and only for the company that hit your site.
- Right to opt out. Contacts who email dpo@hven.io with a removal request are added to a global opt-out list within 24 hours.
Certifications & roadmap
What we have, and what we're working towards.
Current certification. Annual renewal. Verified by an NCSC-accredited assessor.
Audit in progress; expected completion Q3 2026. Continuous controls monitoring already in place via Drata.
Planned for 2026. ISMS scope already drafted to cover the production environment.
Compliant since launch. ICO-registered data controller. DPA available on request.
Vulnerability reporting
Found a security issue? Tell us privately so we can fix it.
- Email: security@hven.io
- PGP key: www.hven.io/.well-known/pgp-key.txt (fingerprint published; encrypted submissions welcomed)
- Response SLA: we acknowledge within 24 hours and provide a fix ETA within 5 business days for valid reports.
- Bug bounty: coming soon — sign up to be notified at security@hven.io.
- Safe harbour: good-faith research conducted under our disclosure policy will not result in legal action.
Sub-processors
The third-party services that help us deliver Hven, and what each one handles. Each operates under its own DPA and GDPR-compliant terms.
| Sub-processor | Role | Region |
|---|---|---|
| AWS | Hosting & infrastructure | eu-west-1, eu-west-2 |
| MongoDB Atlas | Primary database | EU (Ireland) |
| Cloudflare | CDN & WAF | EU edge |
| Resend | Transactional email delivery | EU |
| Anthropic | AI chat bot response generation | EU API endpoint |
| Apollo.io | B2B contact data enrichment | US (GDPR-compliant DPA) |
| Cloudinary | Logo & image storage | EU |
We notify customers at least 30 days in advance of any new sub-processor. Subscribe to sub-processor updates to be notified.