Security & Trust

Built on trust, secured by design

Security and privacy are not afterthoughts at HeartMetrics. They are foundational to every decision we make.

Security practices

Encryption

All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Database connections use encrypted channels.

Least Privilege Access

Internal access follows the principle of least privilege. Team members only access what their role requires.

Infrastructure Security

Hosted on SOC 2 compliant infrastructure with automated security monitoring, intrusion detection, and regular vulnerability scanning.

Access Control

Role-based access control (RBAC) ensures managers see only their teams. Organization admins manage permissions centrally.

Audit Logging

All access to employee data is logged. Organization admins can review audit trails showing who accessed what and when.

Incident Response

We maintain an incident response plan with clear escalation procedures. We will notify affected users within 72 hours of any confirmed breach.

Data boundaries

Clear, transparent boundaries on what HeartMetrics accesses.

What we access

Task metadata (status, assignees, blockers)

Meeting duration and frequency

Public recognition events

Project assignment data

What we never access

Private messages or chat content

Email body text

File contents or documents

Keystroke or mouse tracking

Screen recordings or webcam

Browsing history

Personal social media

Data deletion

You can request full data deletion at any time through your account Settings or by emailing privacy@heartmetrics.io. All data is permanently removed within 30 days of your request.