HeHo Logo
HeHo

Security & Privacy

Data Ownership & Control

Your data is your own. HeHo only stores authentication data and chatbot configuration in our Supabase instance. Your business data, database connections, and chatbot memories are stored exclusively in your own Supabase project under your complete control.

  • • Business data never leaves your Supabase database
  • • You maintain full ownership and control of all data
  • • HeHo acts as an orchestration layer, not a data repository
  • • Data isolation enforced through Row Level Security (RLS)

Encryption & Data Protection

All sensitive data is encrypted both in transit and at rest using industry-standard encryption protocols.

  • • All data encrypted in transit using HTTPS/TLS 1.3
  • • API keys encrypted at rest using AES-256 encryption
  • • Encryption keys managed securely and rotated regularly
  • • No plaintext storage of sensitive credentials

API Key Security

Your OpenRouter, Supabase, and HeHo API keys are encrypted and never exposed to the frontend or client-side code.

  • • Keys encrypted with AES-256 before storage
  • • Only used server-side for API requests
  • • Automatically rotated on demand from settings
  • • Never logged, exposed in error messages, or shared with third parties
  • • Access logs maintained for audit purposes

Authentication & Access Control

Secure account protection powered by Supabase Auth with industry-standard security practices.

  • • Email verification required for signup
  • • Passwords hashed with bcrypt (12 rounds)
  • • JWT tokens with 7-day expiration
  • • CSRF protection on all state-changing requests
  • • Session management with automatic timeout
  • • Support for secure password reset flows

Database Permissions & Autonomous Operations

You maintain complete control over what your AI agents can access and modify in your database.

  • • Read-only access (configurable per chatbot)
  • • Write/insert permissions (configurable per chatbot)
  • • Edit/update permissions (configurable per chatbot)
  • • Delete operations (disabled by default for safety)
  • • Table-level access control
  • • Audit logs for all autonomous operations

Third-Party Integrations

HeHo integrates with trusted third-party services. Data sharing is minimal and necessary for core functionality.

  • • OpenRouter receives only prompts and necessary context for AI processing
  • • Supabase stores your database and authentication data
  • • No data is shared with other third parties
  • • All third-party integrations comply with GDPR and data protection laws

Compliance & Standards

HeHo follows industry standards and regulations for data protection and privacy.

  • • GDPR compliant data processing and user rights
  • • User data deletion on account removal
  • • No automated decision-making or profiling
  • • Regular security audits and penetration testing
  • • Compliance with SOC 2 principles
  • • Regular security updates and patches

REST API Security

HeHo's REST API includes security measures to protect programmatic access to your systems.

  • • Bearer token authentication required for all requests
  • • Rate limiting to prevent abuse
  • • Request validation and sanitization
  • • API key rotation support
  • • Audit logging for all API requests

Best Practices for Users

To maintain security, we recommend following these best practices:

  • • Never share your API keys in public repositories or client-side code
  • • Rotate your API keys regularly
  • • Use strong, unique passwords for your HeHo account
  • • Enable two-factor authentication on your Supabase account
  • • Review and audit autonomous operations regularly
  • • Maintain backups of critical data
  • • Use environment variables to store sensitive credentials
  • • Monitor your Supabase audit logs for suspicious activity

Report Security Issues

Found a security vulnerability? Please email security@heho.dev instead of opening a public issue. We take security seriously and will investigate all reports promptly. Please include details about the vulnerability and steps to reproduce it.