Harbinge.rs builds field intelligence products that reduce operational friction.

[email protected]

Security & Trust

Last updated: July 6, 2026

Forager is built for regulated environments. Security is not a feature we added — it is the architecture. This page summarizes how we protect customer data, what our compliance posture is today, and how to request the detailed documentation your security review needs.

Architecture: Designed to Stay Off Your Network

  • No integration with your enterprise network required. The Forager mobile app runs on Android devices over their own connectivity; Raven beacons broadcast cryptographically signed (HMAC-SHA256) telemetry to gateways that use a dedicated cellular uplink. Nothing we ship joins your Wi-Fi, touches your VLANs, or needs firewall exceptions.
  • Asset data, not patient data. Forager tracks equipment — asset identities, locations, and presence-confirmation history. The platform is not designed to receive or store PHI or patient records.
  • Multi-tenant isolation enforced in the database. Every customer-data table carries row-level security scoped to your organization, enforced by PostgreSQL itself — not by application code. Cross-tenant access is structurally impossible through any application path.

Data Protection

  • Encryption in transit: TLS on every endpoint — mobile app, dashboard, APIs, and webhooks.
  • Encryption at rest: customer data is encrypted at rest by our cloud provider; integration secrets (such as webhook signing keys) are additionally encrypted in a dedicated database vault and are never exposed to browser clients or logs.
  • Photo evidence: attestation photos are stored in private buckets, accessible only through short-lived signed URLs scoped to your organization.
  • Backups: automated daily provider backups plus independent, encrypted, offsite backups under our direct control — verified restores, not assumed ones.

Access Control & Accountability

  • Role-based access: three-tier roles (admin / lead / tech) enforced at the database layer, with site-level scoping for team leads.
  • Multi-factor authentication is mandatory for all administrator accounts — enforced server-side on every request, not just at login.
  • Audit logging: every administrative action is written to an append-only audit log recording who, what, when, origin IP, and outcome — including denied attempts. Audit records cannot be edited or deleted through any application path.
  • Immutable attestation history: presence-confirmation records are insert-only. Corrections create new records; history is never rewritten.

Availability

  • Live status: status.harbinge.rs — public uptime monitoring of production services, with incident history and RSS subscription.
  • Documented disaster recovery with defined recovery priorities and tested restore procedures.
  • Graceful degradation: the core platform runs entirely on major cloud providers; auxiliary processing services can fail without affecting asset tracking, attestation, or dashboard access.

Compliance Posture

SOC 2 Type 2In preparation — control environment implemented and documented; observation period not yet started. Control documentation available to prospective customers under NDA.
HIPAAHIPAA-ready architecture. Forager is designed to operate without PHI; organizations with HIPAA obligations should review Forager's data handling with their compliance teams. BAA available on request.
GDPRData Processing Agreement with Standard Contractual Clauses available for enterprise customers. See our Privacy Policy.
PoliciesMaintained and versioned: incident response, change management, credential rotation, data retention, audit logging, vendor risk. Available under NDA.

Subprocessors

We keep our vendor list short on purpose. Customer data is processed by:

Provider Role Location
Supabase (on AWS)Database, authentication, file storageUnited States (us-west-1)
VercelWeb dashboard hostingUnited States
CloudflareDNS, CDN, DDoS protectionGlobal edge
BackblazeEncrypted offsite backupsUnited States (US West)

Each subprocessor maintains its own independent security attestations (SOC 2 / ISO 27001). Enterprise customers are notified of subprocessor changes per the DPA.

Reporting a Vulnerability

If you believe you have found a security issue in any Harbinge.rs product or service, please email [email protected] with the details. We commit to acknowledging reports within 2 business days. Please do not test against production systems containing customer data without prior written authorization.

Requesting Security Documentation

Prospective customers can request our security questionnaire responses, control documentation, DPA, or BAA by contacting [email protected] or through the contact form. Most requests are fulfilled under a mutual NDA within a few business days.