← Back to home

Security

Last updated: 2026-06-16

Our Approach

SDX Studio takes the security of HeedLab and your data seriously. We build on hardened infrastructure, follow industry best practices, and continuously review our code and systems. This page describes the measures in place today and is kept current as our practices evolve.

Data Residency

We use reputable cloud infrastructure and apply appropriate safeguards (such as Standard Contractual Clauses) for any transfers outside the EEA. Optional AI features may involve processing by a third-party LLM provider; these features can be disabled and have non-AI fallbacks.

Encryption in Transit

All traffic between your browser and HeedLab is encrypted using TLS 1.2 or higher. We enforce HTTPS across every endpoint and redirect plain HTTP requests. Custom domains are provisioned with automatically renewed TLS certificates.

Encryption at Rest

Data stored in our managed database and object storage is encrypted at rest. Passwords are never stored in plaintext; they are hashed using a modern adaptive algorithm.

Authentication and Access

  • Session tokens are cryptographically signed and expire after a configurable period.
  • Email/password login is supported alongside Google and GitHub social login, with server-side rate limiting on authentication endpoints.
  • Two-factor authentication and SAML/OIDC single sign-on are available for workspaces that require them.
  • Invitation links are single-use tokens with short expiry windows.
  • Role-based access control (owner, admin, viewer) governs what each member can see and do.

Infrastructure

  • Application servers run on managed cloud infrastructure with private networking between services.
  • Database access is restricted to application servers; no public database endpoints are exposed.
  • Secrets and credentials are managed as encrypted environment variables and are never committed to source control.
  • Error monitoring via Sentry is configured to scrub sensitive fields before transmission.
  • Bot and abuse protection is enforced at authentication and ingestion endpoints.

Operational Controls

Internal access to production systems follows the principle of least privilege and requires multi-factor authentication. Security-relevant actions are logged, and Business workspaces have access to an audit log of administrative activity.

Compliance

HeedLab is GDPR-ready today, with self-service data export and account deletion built in. We do not currently hold formal third-party certifications (such as SOC 2 or ISO 27001) and make no claim to them; if that changes, we will publish the details here.

Responsible Disclosure

If you discover a security vulnerability in HeedLab, please report it to sdx-support@protonmail.com. We ask that you give us reasonable time to investigate and remediate before any public disclosure and that you avoid accessing or modifying other users' data. We do not currently operate a paid bug-bounty programme, but we genuinely appreciate responsible researchers.

Contact

Security concerns and disclosures: sdx-support@protonmail.com.