Security & Trust
At Hasfy, security is not an option: it is built into the product architecture from the ground up. This page describes the technical and organisational measures we apply to protect your data and your clients' data.
1. Data ownership
The data you host on Hasfy belongs entirely to you. Hasfy acts as a data processor under the GDPR: we process your data solely according to your instructions and never exploit it for our own purposes. We never access your data without your explicit consent. The only exception concerns support requests that you initiate yourself: in that case, access is limited to the strict minimum, logged in our audit trails, and revoked as soon as the request is resolved. You retain at all times the right to request a full export of your data or its permanent deletion. Such requests are handled within 30 days.
2. Per-tenant data isolation
Hasfy's multi-tenant architecture is designed to guarantee strict isolation between customer accounts. Your data is never mixed with another customer's data, including at the database level.
2.1 Separate PostgreSQL schemas
Each tenant has its own PostgreSQL schema. This logical separation ensures that a poorly formed query or an application bug cannot, by design, reach another customer's data. Cross-schema access is prohibited at the database permission level.
2.2 Row-Level Security (RLS)
In addition to schema-level isolation, PostgreSQL's Row-Level Security feature is enabled on all sensitive tables. Every query is automatically filtered to return only the rows belonging to the authenticated tenant, even in the event of an error in the application layer. This double layer of protection — schema separation and RLS — constitutes our defence-in-depth against any cross-tenant data leakage risk.
3. Internal production access
Access to the production environment is strictly limited to a small number of Hasfy team members. No access is granted without documented justification, and every connection is recorded with the identity of the person, the timestamp, and the reason for the action. Access is granted on a least-privilege basis: each team member only holds the permissions strictly necessary for their task. Temporary access is automatically revoked at the end of the intervention. No access to your data is made for commercial, analytical, or development purposes. Development and testing environments use exclusively synthetic data.
4. Subprocessors
Hasfy relies on a limited number of subprocessors for hosting and service delivery. Each is selected for its security and GDPR compliance guarantees, and bound by a data processing agreement.
OVH — Infrastructure, Website & Application
Hasfy's entire infrastructure — marketing website, application and database — is hosted at OVH SAS, on servers located in France. OVH holds ISO 27001 and HDS (Health Data Hosting) certifications, and publishes detailed GDPR compliance documentation at the following address: https://www.ovhcloud.com/en/personal-data-protection/ The choice of OVH guarantees data sovereignty: your data never leaves French territory and is not subject to extraterritorial legislation such as the US Cloud Act.
5. Data encryption
Data is protected by encryption both during network exchanges and when stored on the infrastructure.
5.1 Data in transit
All communications between your browser or application client and our servers are encrypted using the TLS protocol. We enforce a minimum of TLS 1.2 and default to TLS 1.3. Unencrypted connections (HTTP) are automatically redirected to HTTPS. TLS certificates are issued and renewed automatically.
5.2 Data at rest
Data stored on OVH volumes benefits from disk encryption at the infrastructure level. Database backups are also encrypted before storage.
6. GDPR compliance
Hasfy is committed to complying with the General Data Protection Regulation (GDPR — EU Regulation 2016/679). As a data processor, we implement appropriate technical and organisational measures to ensure the security of the personal data you entrust to us.
6.1 Data Processing Agreement (DPA)
A Data Processing Agreement (DPA) compliant with the requirements of Article 28 of the GDPR is available to all customers upon simple request at contact@hasfy.fr. This document formalises the respective obligations of Hasfy as data processor and the customer as data controller.
6.2 Breach notification
In the event of a data breach likely to result in a risk to the rights and freedoms of the individuals concerned, Hasfy undertakes to notify the data controller customer within a maximum of 72 hours of becoming aware of it, in accordance with Article 33 of the GDPR. The notification will include the nature of the breach, the categories of data affected, the approximate number of individuals concerned, and the measures taken or planned.
6.3 Right to erasure
You may at any time request the complete deletion of your account and all associated data by sending a request to contact@hasfy.fr. Deletion is effective within 30 days. Deleted data is not retained in backups beyond an additional period of 30 days.
7. Vulnerability disclosure
If you have identified a security vulnerability, abnormal behaviour, or any other issue that could compromise the security of the platform or its data, we invite you to report it responsibly to contact@hasfy.fr. We commit to acknowledging your report within 48 hours and to treating any serious finding as a priority. We ask that you do not publicly disclose the vulnerability before it has been fixed and we have confirmed the resolution to you. This security page was last updated on 19/03/2025.