Hublitics.
Request access

Security

Built honestly. Stored safely.

We take operational and data security seriously because our customers' books depend on it.

Encryption

Sensitive employee fields (NI number, bank details) are encrypted at rest using AES-256-GCM with a tenant-derived key. All traffic is over HTTPS in production. Session cookies are HMAC-signed, HTTP-only, and SameSite-Lax with the secure flag enabled.

Authentication

Passwordless. Sign-in is via Google OAuth — Google verifies the user and we receive only the verified email and display name. No passwords are ever stored. Workspaces are invitation-only: addresses your platform admin has provisioned ahead of time. SAML SSO is on the roadmap for the Business tier.

Multi-tenancy

Every business-data table is keyed on tenant_id and every server-side query is scoped to the signed-in user's tenant. The schema is designed to migrate cleanly to row-level security on Postgres.

Auditability

Every create, update, delete, and status change writes a row to an immutable audit log, viewable by owners and admins. Logs include the actor, timestamp, and a JSON diff.

Data residency & backups

Production data is hosted in the UK / EU. We take encrypted, point-in-time backups daily, retained for 30 days. You can export your tenant data as CSV at any time.

Responsible disclosure

Found something? Email hublitics@outlook.com. We acknowledge within one working day and aim for a fix or mitigation within 30 days, depending on severity.

Hublitics — operations software for UK SMBs