Data Handling Policy
Last updated: March 2026
This page describes exactly what data HAIEC Inc. (“HAIEC”) collects, processes, stores, and deletes across every product surface. It is written for security reviewers, enterprise procurement, and compliance officers.
Governing principle: data minimisation
HAIEC is designed to collect only what is needed to produce a finding, score, or evidence record — and no more. Source code is processed in-memory and discarded. User data from your end-users is never collected. Analysis results (findings, hashes, metadata) are what we store.
1. What We Collect — By Product Surface
Static Analysis Scanner (AI security scan)
Collected & stored
- Repository URL and branch name
- Scan ID, status, timestamps
- Finding records: file path, line range, rule ID, severity, description
- Risk score and finding counts
- Scan profile selected
Never collected or stored
- Source code content (any file)
- Git history or commit content
- Secrets or credentials found
- File contents beyond the finding snippet
How it works: Your repository is cloned into an ephemeral Modal container, analysed in-memory, and the container is discarded. Only the structured finding output is returned and written to the database. The container never persists your code.
GitHub App Integration
Collected & stored
- Repository name and owner
- Branch protection rule status (enabled / disabled)
- Presence of configuration files (CODEOWNERS, etc.)
- Webhook delivery IDs and event types
Never collected or stored
- File contents from any repository
- Commit messages or diff content
- GitHub user credentials or tokens (beyond installation token, scoped and short-lived)
Runtime Attack Testing
Collected & stored
- Test ID, target endpoint URL, categories, mode
- Attack payloads sent (from our pre-defined library)
- Pass / fail outcome per attack
- Finding: attack type, severity, response snippet indicating vulnerability
- Overall security score
Never collected or stored
- Full response bodies from your AI endpoint
- Your end-users' data or conversation history
- Authentication credentials used to access your endpoint
Domain authorisation required: You must verify ownership of the domain before a runtime test can be run. This is enforced at the API layer.
Compliance Wizards & Assessments
Collected & stored
- Your answers to wizard questions (stored per assessment, per account)
- Generated evidence records with content hashes and collection timestamps
- Assessment score, maturity level, identified gaps
- Compliance reports (PDF metadata; the generated PDF is stored temporarily for download)
NYC Local Law 144 Bias Audit Module
This module is the only surface in HAIEC that comes close to processing personal data. We handle it with additional controls:
- Candidate identifiers are hashed using SHA-256 before any storage. Raw PII is not retained.
- Bias outcome results (pass/fail per demographic category) are stored per engagement.
- Audit reports include aggregate statistics only — not individual candidate outcomes.
Account & Platform Data
- Name, email address, and OAuth provider identifier
- Organisation name and subscription tier
- API key records (the key hash, not the plaintext key after issuance)
- Usage events for billing and rate limiting
2. Retention Periods
| Data type | Default retention | Deletion mechanism |
|---|---|---|
| Source code (scan) | Never stored | N/A — discarded in-memory |
| Scan findings | Until account closed or you delete the scan | Dashboard delete / account closure |
| Assessment responses | Until you delete the assessment | Dashboard delete |
| Evidence records | Until account closed | Account closure request |
| Generated PDFs | 30 days after generation | Automatic purge |
| Account data | 30 days after closure request | Support request |
| Audit logs | 7 years | Not user-deletable (compliance requirement) |
| NYC LL144 hashed identifiers | 90 days after engagement close (configurable) | Engagement deletion or support request |
3. Encryption
In transit
- TLS 1.2+ enforced on all connections
- HTTPS-only; HTTP requests redirected
- HSTS header applied
At rest
- AES-256 via Neon (PostgreSQL)
- SHA-256 content hashing for evidence integrity
- SHA-256 hashing of candidate identifiers before storage
4. Third-Party Data Sharing
We share data with the following categories of third parties only:
- Infrastructure providers (Vercel, Neon, Modal, Upstash) — to host and process the platform. See Subprocessor List.
- Payment processor (Stripe) — billing data only. We do not see or store card details.
- Email provider (Resend) — your email address, for transactional emails you trigger (receipts, scan notifications).
- Error monitoring (Sentry) — anonymised error traces. No finding content or PII in error payloads by design.
We do not sell data. We do not share data with advertisers. We do not use your data to train machine learning models.
5. Your Rights & Deletion
You can exercise the following at any time:
- Delete individual scans or assessments — via the dashboard.
- Export your data — contact privacy@haiec.com.
- Delete your account and all associated data — contact privacy@haiec.com. Processed within 30 days. Audit logs retained per legal requirement.
- GDPR / CCPA requests — see Data Deletion Rights.
Related documents
Questions? privacy@haiec.com