Security at Harmny

All data transmitted between your browser and Harmny servers is encrypted with TLS 1.3. We enforce HTTPS everywhere — there are no unencrypted fallbacks.

Data at rest is encrypted using AES-256. Database backups, file attachments, and all stored credentials are encrypted before they touch a disk. Encryption keys are managed via a dedicated key management service and rotated on a regular schedule.

Harmny runs on AWS infrastructure hosted in the United States (us-east-1) and European Union (eu-west-1). Customers on our Enterprise plan can request data residency in their preferred region.

We operate across multiple availability zones with automatic failover. Our target uptime SLA for Business and Enterprise customers is 99.9%. Scheduled maintenance windows are communicated at least 72 hours in advance via our status page.

Network access is strictly controlled via VPC isolation, security groups, and Web Application Firewall rules. Production systems are not accessible from the public internet except through defined API and web endpoints.

Harmny uses role-based access control (RBAC) to ensure employees only see data they are authorized to view. Roles include Admin, HR, Manager, Ops, and Employee, each with carefully scoped permissions.

All Harmny employees follow a least-privilege access model. Engineers do not have standing access to production data. Access to customer data requires a written approval process and leaves an immutable audit trail.

SSO integration via SAML 2.0 and OIDC is available on Business and Enterprise plans. Enforce multi-factor authentication (MFA) for your entire organization from the admin panel.

Your data is yours. We do not sell, rent, or share customer data with third parties for marketing purposes — ever. Data is used solely to operate and improve the Harmny platform.

Backups are taken every 6 hours and retained for 30 days. Point-in-time recovery is available for database data on Business and Enterprise plans. On account cancellation, we provide a full data export and delete all customer data within 30 days.

For organizations operating in the European Union, Harmny acts as a Data Processor under GDPR Article 28. We offer a standard Data Processing Agreement (DPA) for all paid customers. EU data is stored exclusively in our eu-west-1 region.

We support data subject rights requests — including access, portability, correction, and deletion — through both the application UI and our support team. Our sub-processor list is publicly available and kept up to date.

We operate a responsible disclosure program. If you discover a security vulnerability in Harmny, please report it to [email protected]. We will acknowledge your report within 24 hours and aim to resolve confirmed vulnerabilities within 30 days.

In the event of a security incident affecting customer data, we will notify affected organizations within 72 hours of becoming aware of the breach, in compliance with GDPR Article 33 requirements.