Security & Trust

Overview

userhive.ai is operated by amara care GmbH, Trautenwolfstraße 5, 80802 München, Germany. We design for GDPR compliance and enterprise security from day one.

Hosting & Data Location

• Runtime & hosting: Railway (EU/EEA regions)

• Automation workflows: n8n (self-hosted on Railway, EU/EEA)

• Database & authentication: Neon (Postgres, EU/EEA regions)

• Analytics: Posthog (EU/EEA where possible, SCCs if outside)

• CRM / outreach: Apollo (SCCs if outside EU/EEA)

• Support: email only

We avoid data transfers outside the EEA where possible; if unavoidable, we use EU Standard Contractual Clauses (SCCs).

Data Protection

• Encryption in transit: TLS 1.2+ for all traffic

• Encryption at rest: provider-managed encryption (Railway + Neon)

• Secrets management: stored securely, never committed to code

• Data minimization: only collect what's needed; project data auto-deleted after account closure (within 12 months)

Access Controls

• RBAC: role-based access, least-privilege by default

• Admin access: restricted to authorized personnel; SSO/2FA required

• Auditability: provider logs + internal admin action logging

Backups & Resilience

• Database backups: daily backups with point-in-time recovery (Neon)

• Retention: rolling backup retention per provider defaults

• Business continuity: cloud-native redundancy; recovery tested periodically

Secure Development

• Change management: reviewed pull requests, staged rollouts

• Dependencies: regular updates, vulnerability scanning

• Third-party risk: sub-processors bound by DPA and SCCs where required

Incident Response

• Intake: report issues to security@userhive.ai

• Process: triage → containment → remediation → post-mortem; notify customers and authorities where required

Privacy

• We comply with EU GDPR; see our Privacy Policy.

• Data subject requests: info@userhive.ai

Uptime & Status

• Target: high availability of the platform

• Planned: public status page in roadmap; maintenance windows communicated

Compliance Roadmap

• Near-term: hardening, security reviews, status page

• Mid-term: external penetration test; SOC 2 readiness (selected controls)

• Documentation: DPA available on request