Security at Halvert

Posture

Halvert runs in a single-tenant SOC 2 Type II environment. All production services are deployed across three availability zones with automated failover. Human access to production is scoped, time-bound, and audited.

Data protection

Data is encrypted at rest with AES-256 and in transit with TLS 1.3. Tenant data is logically isolated in a single-tenant schema; no row ever crosses an organisation boundary without an explicit sharing grant recorded in the audit log.

Authentication

• SAML 2.0 single sign-on on Pro and Enterprise.
• SCIM 2.0 provisioning for Okta, Microsoft Entra, and JumpCloud.
• TOTP and WebAuthn second factors supported for password accounts.
• Session keys rotate every eight hours and on privilege escalation.

Audit log

Every approval, rule change, permission grant, and data export is captured in an append-only, cryptographically signed audit log. Exports are available in CSV or PDF at any time, on any plan.

Compliance

• SOC 2 Type II (latest report dated March 2026).
• GDPR compliant. Data Processing Addendum available on request.
• HIPAA: Business Associate Agreement available for regulated industries.
• ISO 27001 audit in progress; expected Q3.

Reporting a vulnerability

We run a private bug bounty. Please email security@yourdomain.tld with a reproducible report. We aim to acknowledge within one business day and triage within three.