Security. Data. Transparency.
How we handle your information, protect your data, and work with third parties. No fine print—just the facts.
Security
- Transport: All traffic is served over HTTPS (TLS).
- Authentication: Sign-in uses magic links (no passwords stored). Links are single-use and time-limited. We use Rails’ secure token generation.
- Access control: Report and vault access is tied to secret URLs and (when signed in) to your account. We do not expose other users’ data.
- Rate limiting: We use Rack::Attack to limit abuse (e.g., magic-link and lookup requests).
Data handling
We store only what’s needed to provide the Service: account (email), reports (address, jurisdiction, checklist state), and uploaded documents. Report content is generated from our jurisdiction and ordinance data. We do not sell your data. Data is stored in our production environment with access restricted to authorized personnel.
Subprocessors
We use the following subprocessors to operate the Service. Each is chosen for security and reliability.
| Provider | Purpose | Location |
|---|---|---|
| Stripe | Payments (checkout, subscriptions) | USA |
| Resend | Transactional email (report link, magic link, alerts) | USA |
| Google (Maps / Geocoding) | Address autocomplete and geocoding | Global |
| PostHog | Product analytics | USA |
| Sponge | Payments from AI agents | Global |
Compliance and availability
We design the Service with privacy and security in mind. We do not currently maintain formal certifications (e.g., SOC 2); we are happy to answer specific questions. For availability, we use standard hosting and monitoring; see our status or contact us for SLA inquiries.
Contact
For security issues, privacy requests, or trust and compliance questions, contact us at contact@gethostshield.com. We will respond to legitimate requests in a timely manner.