Security at Harmny

All traffic to harmny.ai is served over HTTPS via Cloudflare. TLS 1.2 and 1.3 are supported; older protocols are rejected at the edge. HTTP requests are automatically redirected to HTTPS — there are no unencrypted fallbacks.

Cloudflare also provides DDoS protection and acts as an additional layer between the public internet and our infrastructure.

Passwords are hashed with bcrypt (cost factor 12) before storage — we never store plaintext credentials. Harmny supports email/password login and Google OAuth.

Sessions use a two-token approach: a short-lived access token (15 minutes, stored in memory only) and a long-lived refresh token (30 days, stored in an httpOnly, Secure, SameSite cookie). This means access tokens are never accessible to JavaScript and refresh tokens cannot be read by XSS attacks.

Authentication endpoints are rate-limited per IP: sign-in and sign-up are capped at 20 requests per 15 minutes; password reset requests are capped at 5 per hour. All API routes share a global limit of 300 requests per minute.

Harmny uses role-based access control (RBAC) with five scoped roles: Admin, HR, Manager, Ops, and Employee. Every API endpoint enforces the minimum required role — there are no routes that rely on client-side permission checks alone.

All data is strictly isolated by organization at the application layer. Every database query filters by organizationId — it is structurally impossible for one tenant's data to appear in another tenant's queries.

Managers can only access data for their direct reports. Employees can only view their own records. Cross-employee data access is verified server-side on every request through a shared authorization utility.

Harmny maintains a tamper-evident audit log of all significant actions within your organization: rating changes, cycle status transitions, goal updates, role changes, and more. Each entry records the actor, timestamp, entity affected, and a diff of what changed.

Audit logs are scoped per organization and are not accessible to other tenants. Admins can access the audit trail from the admin panel. This log is available on all plans.

Harmny runs on dedicated infrastructure behind nginx and Cloudflare. Services are containerized and isolated from each other via private internal networking — the database, file storage, and application server are not directly reachable from the public internet.

File uploads (avatars, documents) are stored in S3-compatible object storage, isolated from the application server. Access to stored files is controlled via the application — there are no publicly guessable file URLs.

HTTP security headers (Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security) are applied on all responses via Helmet.js.

Your data is yours. We do not sell, rent, or share customer data with third parties for marketing purposes — ever. Data is used solely to operate and improve the Harmny platform.

On account cancellation, we provide a full data export on request and permanently delete all customer data within 30 days. We do not retain data for analysis or model training after deletion.

Harmny is designed to support GDPR and CCPA compliance for your organization. We support data subject rights requests — including access, correction, portability, and deletion — through the application and our support team.

For organizations operating in the European Union, we act as a Data Processor under GDPR Article 28 and can provide a standard Data Processing Agreement (DPA) for paid customers. Contact us at [email protected] to request one.

In the event of a security incident affecting customer data, we will notify affected organizations within 72 hours of becoming aware, in alignment with GDPR Article 33.

We operate a responsible disclosure program. If you discover a security vulnerability in Harmny, please report it to [email protected]. We will acknowledge your report within 24 hours and aim to resolve confirmed vulnerabilities within 30 days.

Please do not publicly disclose vulnerabilities before we've had a chance to address them. We appreciate researchers who help us keep Harmny secure.