H2R Gear

Security and Compliance

All the need-to-know info.

By Here to Record • January 30, 2025

This document outlines our commitment to safeguarding the security and privacy of the data you entrust to us. Here, you will find detailed information about how we host and manage our services, our compliance with international security standards, our data protection practices, and the measures we take to ensure the integrity and availability of our systems.

Hosting

Our application components are hosted through the following service:

  • Firebase: Manages user authentication and backend functionalities and hosts static assets and client-side code.

Third-party services

The following third-party tools are implemented within our tool:

  • Typesense: This is used to store partial gear item data so that it can be searchable.
  • Algolia: This is used to store partial gear item data so that it can be searchable.
  • Paddle: This is used for payment processing.

Authentication

Users can access our Services using either Email/Password authentication or Google OAuth 2.0. Currently, we do not support Two-Factor Authentication.

Session Management

Session tokens are automatically renewed unless explicitly revoked by the user. We implement an invalid password lockout policy to enhance security.

Compliance Certifications

Our servers and infrastructure providers are compliant with major security standards:

  • Firebase: ISO 27001, SOC 1, SOC 2, and SOC 3 compliant. More Info
  • Google Cloud Platform: ISO 27001, SOC 1, SOC 2, and SOC 3 compliant. More info

Data Storage

Data related to users, teams and plans is stored in Firebase Firestore located in multiple United States regions (Iowa, Oklahoma, South Carolina), with backups retained for 7 days. Images (gear item uploads) are stored in a Google Cloud Platform storage bucket under an “US” policy.

Security Practices

  • Data Deletion: Upon deletion, data and user accounts are purged from our systems within 30 days. All backups are also erased within 30 days.

Backup and Recovery

Our data recovery strategy includes:

  • Weekly Snapshots: Taken every Sunday with a retention period of 14 days.

System Integrity and Redundancy

  • Testing: We perform automated tests prior to any system update to ensure the integrity of critical functions.

Security Measures

  • Data Encryption: All data in transit is encrypted using SSL. However, data stored on our systems is not encrypted at rest but is safeguarded through strong authentication and security protocols.
  • Third-Party Access: Access to live user data is strictly limited to authorized staff. Confidentiality agreements are in place with contractors and business associates, and where feasible, they work on test or anonymized data to prevent unauthorized access to sensitive information.

For more details on which third-party services we use that may receive personal information, please refer to our Privacy Policy.

Ready to get organised?

Start using H2R Gear to plan your next setup.

Get started