Trust & security — The Handover

The Handover sits between your AI agents and the humans who approve what they do. That means we see action descriptions, approver emails, and your API keys. This page explains exactly how we handle each of those — the infrastructure, the storage, and what we won't do with them.

TLS everywhereAll API and dashboard traffic over HTTPS. No plaintext ingress.

API keys hashedStored as SHA-256 only. Raw keys shown once at creation and never again.

No training on your dataYour actions and approver responses are never used to train any model, ours or anyone else's.

Where your data lives

All customer data lives in a Postgres database managed by Supabase (AWS us-east-1), with encryption at rest and row-level security policies scoping every row to a single account. The API runs on Railway. Transactional email goes through Resend. Billing is handled by Polar. That's the entire footprint — we don't replicate your data to any other store, analytics warehouse, or third-party tool.

API keys and authentication

Hashed at rest. We SHA-256 every key before storage. If our database were exfiltrated, an attacker would not have working keys.
Shown once. The raw key is returned exactly once from POST /auth/api-keys. Lose it and you rotate — there is no retrieval.
Revocation is immediate. Deleting a key flips is_active=false; every subsequent request is rejected at the auth middleware before it hits any business logic.
Account-scoped approvers. You declare which email addresses are allowed to approve for each key. A POST /decisions with an unlisted approver returns 403 — your agent cannot email anyone not on your list.

What we store, what we don't

Decision content. Action descriptions, context, approver email, response notes, attachments you upload. Kept for the duration of your account, subject to tier retention.
Audit logs. Creation, email sent, opened, resolved, expired — with timestamps. Free tier exports cover the last 7 days; paid tiers export the full history.
Webhook payloads. If you configure a callback URL, we sign each delivery with HMAC-SHA256 using your key's webhook secret so your server can verify it came from us.
What we don't store. Your agent's prompts, model outputs, or anything you didn't explicitly pass into create(). If you don't send it, we don't have it.

Sub-processors

These are the third parties that process your data to make the service work:

Provider	Purpose	Data	Region
Supabase	Database & auth	Account, decisions, keys (hashed), audit log	AWS us-east-1
Railway	API hosting	Request processing (stateless)	US
Resend	Transactional email	Approver email, action, context	US / EU
Polar	Billing	Email, subscription metadata	US
Slack / Cloudflare	Optional Slack delivery, CDN for assets	Only if you install Slack	Global

Retention & deletion

Decisions and audit logs stay for the lifetime of your account. Free-tier exports are capped at 7 days; paid tiers export everything.
Resolved decision tokens expire immediately; expired decisions can no longer be resolved via email links.
Closing your account deletes your keys, approvers, decisions, and audit rows within 30 days. Email us at support@thehandover.xyz for an immediate purge.

Access controls

Production database access is restricted to the founding team and required only for incident response. All access goes through Supabase's audit-logged console — we do not log into the database from local machines. The dashboard enforces the same row-level security as the API, so even our own support tooling can't read your decisions without going through the regular auth path.

Compliance

We are an early-stage company and are honest about this: we do not currently hold SOC 2, ISO 27001, or HIPAA attestations. If your compliance program requires them, the honest answer is "not yet." We support GDPR data-subject rights (access, correction, deletion) today via support@thehandover.xyz. SOC 2 Type I is on the roadmap once we cross the usage threshold that makes it worth the audit cost; we'll update this page the day we start.

Reporting a security issue

If you believe you've found a vulnerability, please email security@thehandover.xyz with steps to reproduce. We'll acknowledge within two business days. Please don't test against other customers' data or run load that degrades service — we'll work with you in good faith if you do the same.

Incident response

If an incident affects your data, we will notify affected customers within 72 hours by email, publish a post-mortem summarising root cause and remediation, and rotate any credentials that may have been exposed.

Questions

Procurement, security review, or anything else — email support@thehandover.xyz and we'll respond personally.

Trust & security.