Harmonia
Get started

Security

How Harmonia protects your data, isolates tenants, and handles security operations.

Last updated: June 27, 2026

Security is foundational to Harmonia, not a feature bolted on later. This page summarizes how Atlas Minds Co. protects the data you trust to the Harmonia CRM platform. For how we handle personal data, see the Privacy Policy; for contractual processing terms, see the Data Processing Addendum.

Infrastructure

Harmonia runs on managed, industry-standard cloud infrastructure:

  • Application hosting on Vercel, with automated builds and TLS by default.
  • Database, authentication, and storage on Supabase (managed PostgreSQL), hosted in the United States.

We rely on the physical, network, and host security controls of these providers, each of which maintains its own compliance program (for example, SOC 2).

Tenant isolation

Harmonia is multi-tenant by design. Every record carries an organization identifier, and access is enforced at the database layer with PostgreSQL row-level security (RLS) policies, not only in application code. A query for one organization cannot return another organization's rows, even if application logic has a bug. This database-enforced boundary is the core of how we keep one customer's data invisible to every other customer.

Encryption

  • In transit: all traffic is served over HTTPS/TLS.
  • At rest: data is encrypted at rest by our infrastructure providers.
  • Sensitive credentials: integration secrets (such as API keys and OAuth tokens for connected services) are encrypted with authenticated encryption (AES-256-GCM) before they are stored, using a master key held outside the database.

Authentication and access control

  • Authentication is handled by Supabase Auth, with support for email/password and Google sign-in, plus multi-factor authentication.
  • Access inside an organization is governed by roles, following the principle of least privilege. Platform-level administration is separated from tenant-level administration.
  • Internal access to production systems by Atlas Minds personnel is limited to what is needed to operate and support the Service.

Application security

  • Input validation at system boundaries using schema validation (Zod) before data is processed.
  • CSRF protection on state-changing operations and signed, verified webhooks (HMAC-SHA256) for inbound integration events.
  • Rate limiting on authentication and public API endpoints.
  • Audit logging of sensitive operations so administrators can review who did what and when.
  • Output safety: user-supplied HTML is sanitized before rendering to prevent cross-site scripting.

Sub-processors

We use a vetted set of sub-processors to deliver the Service (hosting, database, payments, messaging, email, AI, and transcription). The current list and what each one processes is maintained in the Privacy Policy.

Data retention and backups

Customer Data is retained for the life of your account and is available for export while your subscription is active. After an account is closed, data is available for export for a limited period (typically 30 days) and then deleted in the ordinary course, subject to legal retention requirements and routine, time-limited backups. Backups are encrypted and access-controlled.

Availability and continuity

The Service is built on infrastructure with redundancy and automated recovery. We monitor application health and errors and respond to incidents that affect availability.

Reporting a vulnerability

If you believe you have found a security vulnerability, please report it responsibly to support@atlasmindsco.com with enough detail to reproduce the issue. Please do not publicly disclose a vulnerability until we have had a reasonable opportunity to investigate and remediate. We do not pursue legal action against good-faith researchers who follow responsible disclosure and avoid privacy violations, data destruction, and service disruption.

Incident response

If we become aware of a security incident affecting your data, we will investigate, take steps to contain and remediate it, and notify affected customers consistent with our obligations under the Data Processing Addendum and applicable law.

Your responsibilities

Security is shared. You are responsible for keeping your credentials safe, enabling multi-factor authentication, managing your users and their roles, granting integration access only to services you trust, and ensuring the data you load and the messages you send comply with applicable law.

Contact

Security questions or reports: support@atlasmindsco.com.

Atlas Minds Co., builder of Harmonia CRM.