Security at HardenLabs

How we think about security as a company — not just in our products, but in everything we build and operate.

Our Philosophy

Security by design, not by afterthought

We build a security company, so we hold ourselves to a higher standard. Security isn't a feature we bolt on after the product works — it's a constraint we design around from the start.

Our guiding principle is privacy by design. We architect our systems so they can't access data they shouldn't have. Not through access policies that someone might misconfigure. Through architecture that makes it structurally impossible.

We collect as little data as possible, retain it for as short a time as practical, and give you control over what we have.

Infrastructure

How we protect our systems

Encryption

All data is encrypted at rest and in transit. We use industry-standard encryption (TLS 1.2+ for transit, AES-256 or KMS-managed keys for storage) and rotate keys regularly.

Access Controls

We follow the principle of least privilege across our infrastructure. Access to production systems is tightly controlled, logged, and regularly reviewed. We use multi-factor authentication for all administrative access.

Infrastructure as Code

Our infrastructure is defined in code, version-controlled, and deployed through automated pipelines. This means every change is reviewed, auditable, and reproducible.

Isolated Environments

Development, staging, and production environments are fully isolated in separate accounts with independent credentials and access controls.

Responsible Disclosure

Found a vulnerability? Tell us.

If you've discovered a security vulnerability in any HardenLabs product or infrastructure, we want to hear about it. We take every report seriously and will work with you to understand and address the issue.

How to Report

Email your findings to security@hardenlabs.co. Please include:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Any relevant URLs, screenshots, or proof-of-concept code
  • Your contact information so we can follow up

We ask that you give us reasonable time to investigate and address the issue before making it public. We won't take legal action against researchers who report vulnerabilities in good faith and follow responsible disclosure practices.

We don't currently run a formal bug bounty program, but we appreciate and acknowledge all valid reports.