How Honne handles your data, plainly stated.

Compliance status

Data handling

Where it lives

All data is stored in Supabase (PostgreSQL) hosted on AWS US-East-1. Session recordings — screen and audio, when a study enables them — are stored in Supabase Storage in the same region. EU regional hosting for Team plans is on the roadmap, ETA Q4 2026.

Encryption

At rest: AES-256 via Supabase's managed Postgres. In transit: TLS 1.3 for everything, including participant sessions. No exceptions, no plain HTTP fallbacks.

Access

Row-level security enforces per-workspace data isolation. Engineers on the Honne team do not routinely query customer data. When debugging a specific ticket requires it, the access is logged and time-bound.

Retention

Study data lives as long as your workspace lives. When you delete a study, it's soft-deleted for 30 days (recoverable), then purged. Full account deletion removes data within 7 days. Server logs retain for 30 days for debugging and abuse detection.

AI provider & training

The AI moderator runs through LiteLLM as a router, currently calling xAI (Grok) for moderation and verification. Only the current session's conversation is sent to the model — no cross-session context, no participant PII outside the session itself. Our upstream provider terms prohibit training on API inputs; we do not opt in to any data-sharing programs.

If you need zero-LLM for a compliance-sensitive study, turn the AI moderator off per section. The static-survey fallback ships the same research questions without any AI involvement.

Subprocessors

The third-party services that process any customer data on our behalf:

• Supabase · Database, authentication, storage · US-East-1
• AWS · Underlying infrastructure (via Supabase)
• Resend · Transactional email · US
• LiteLLM · LLM routing layer · self-hosted, EU
• xAI · AI moderator model · US (no training on API data)
• Stripe · Payment processing (when billing is live) · global

We give you 30 days' notice before adding or swapping subprocessors that process customer data.

Engineering security practices

• MFA on every internal account. No shared credentials. Hardware keys for production access.
• Secrets in Railway / 1Password. No secrets in git history, enforced via pre-commit hooks.
• Dependency scanning. Dependabot on main branch; critical CVEs patched within 48 hours.
• Code review on every PR. No direct pushes to main.
• Backups daily. Supabase point-in-time recovery on Pro tier, tested quarterly.

If something goes wrong

Security issues get the same team, same inbox, same day: [email protected]. We aim to acknowledge within 4 business hours and provide an initial assessment within 24 hours.

If a confirmed incident affects customer data, we notify affected customers directly — not after a week, not buried in a blog post.

Business continuity

We're a small, bootstrapped team. That's a real risk factor for a buyer — startup mortality in the research-tool category is non-trivial. Two things that reduce your exposure:

• Export your data anytime. CSV, JSON, or direct copy of session recordings. Your data is yours — the button is always live.
• Contractual data-escrow clause on request. If Honne were acquired or wound down, we commit in writing to a 90-day data-export window for every paying customer.