Security & compliance
How we protect your data, where it lives, and who we share it with. This page is kept up to date with every change to our infrastructure.
Security
- Encryption: AES-256 at rest (Supabase, storage) and TLS 1.3 in transit.
- Data isolation: Supabase Row Level Security (RLS) enabled on every sensitive table.
- International transfers: Standard Contractual Clauses (SCCs) EU → US signed with every sub-processor based outside the EU.
- Secrets & keys: stored via encrypted Vercel environment variables — never in plaintext in the database.
- HTTP headers: HSTS preload, strict CSP, X-Frame-Options DENY, Referrer-Policy strict-origin.
- Vulnerability reporting: see security.txt or email security@humain-01.com.
Compliance
HUMAIN is operated by Zedream Ltd (UK Company No. 15531321) and complies with the following frameworks:
United Kingdom
UK GDPR + Data Protection Act 2018
European Union
EU GDPR (Regulation 2016/679)
Quebec
Law 25 on the protection of personal information
Canada
PIPEDA (Personal Information Protection and Electronic Documents Act)
Sub-processors
Full list of third parties with access to your personal data as part of the service.
| Sub-processor | Purpose | Region | Transfer framework |
|---|---|---|---|
| OpenAI | LLM inference (GPT-4) | United States | SCCs EU → US |
| Anthropic | LLM inference (Claude) | United States | SCCs EU → US |
| Supabase | Postgres database + Auth + Realtime | European Union (eu-central-1) | — |
| Vercel | Next.js hosting and edge runtime | Global (CDN Edge) | SCCs EU → US |
| Stripe | Payment processing (upcoming) | Ireland / United States | SCCs EU → US |
| Resend | Transactional email | United States | SCCs EU → US |
Data Processing Agreement (DPA)
A Data Processing Agreement compliant with Article 28 of the GDPR is available for any business customer. Review our DPA template or request a signed copy by emailing privacy@humain-01.com.
Certifications
SOC 2 Type II
In progressAudit scheduled for Q4 2026.
ISO/IEC 27001
PlannedAudit scheduled for 2027.
Incident response
- Notification: any incident affecting personal data is reported to the impacted customers and the competent authority within 72 hours, in line with Article 33 GDPR.
- Status page: a public status page will be available at general availability.
- Incident contact: security@humain-01.com
Security or compliance question?
Our team responds to vendor risk assessments and provides supporting documentation on request.
privacy@humain-01.comLast updated: 23 May 2026 · Zedream Ltd, Company No. 15531321 (UK)