Where is hudall data hosted?

Supabase eu-west-2 (London region). Compute runs on Vercel lhr1 (London). Same continent as our UK customers; cross-Atlantic round-trips for AU and US visitors are reduced via Vercel's global edge cache.

Which compliance certifications do hudall's providers hold?

Vercel: SOC 2 Type II, ISO 27001. Supabase: SOC 2 Type II, HIPAA-ready. Stripe: PCI DSS Level 1, SOC 2 Type II. hudall as a company does not hold these certifications independently — we lean on our providers.

How is access controlled?

6-digit PIN per user, bcrypt hashed. Forced PIN change on first login. Lockout after 5 failed attempts. Per-IP rate limit on login. HQ admins have a secondary PIN.

Security — hudall

Security & data

Strong by default.

hudall handles agency performance data — people, branches, scores, fees. The list below is the engineering posture in production today. Not a roadmap, not aspirations — what every API call already enforces.

What’s in place · today

Tenant isolationEvery row tagged to one tenant. Application-level filtering on every query; Postgres row-level security policies enabled as a safety net.

PIN hashing6-digit PINs are bcrypt-hashed with a per-user salt. The original PIN is never stored or transmitted in clear.

Brute-force lockout5 failed attempts on an account → 15-minute lockout, persisted in the database (not just process memory).

Server-side authorisationEvery API route checks role + tenant scope before reading or writing. UI permissions mirror server checks — bypassing the UI doesn't bypass auth.

Foreign-key tenant validationWhen the client sends an ID (office, agent, metric), the server verifies it belongs to the caller's tenant before touching it. Stops cross-tenant IDOR.

httpOnly signed sessionsSession cookies are httpOnly, signed, SameSite-Lax, time-limited. Inaccessible to JavaScript, invalidated on logout.

Audit trail on admin actionsUser CRUD, message broadcasts, submission approvals, settings changes — actor, action, target, timestamp recorded for every one.

Secrets out of sourceAPI keys and database credentials live in Vercel environment variables, never in the repository or client bundle. Rotatable on demand.

Dependencies tracked + patchedGitHub-native dependency graph and security advisories. Critical CVEs triaged and shipped on release.

Tech stack built on global leaders.

Each one carries the certifications enterprise procurement teams ask for.

AWS

The data centre that physically holds your data — Amazon's London facility.

SOC 2 Type II
ISO 27001

Supabase

The database that stores your branches, people, and numbers.

SOC 2 Type II
HIPAA-ready

Vercel

Serves the hudall app to you and your team, fast, anywhere.

SOC 2 Type II
ISO 27001

GitHub

Records every change to the code, with full history and review.

SOC 2 Type II

Stripe

Handles your subscription billing. Card numbers never touch us.

PCI DSS L1
SOC 2 Type II

Resend

Sends transactional email — verification, password resets, weekly digest. No marketing email.

SOC 2 Type II
GDPR-compliant

Encryption at rest and in transit, by default. Backups in the same region as the live data.

All tenant data lives in AWS London (eu-west-2). UK GDPR and EU GDPR scope. Multi-region residency is on the enterprise roadmap — get in touch and we’ll align to your procurement timeline.

Strong by default.

Tech stack built on global leaders.

Frequently asked questions