Security and Data Protection
Effective Date: 11 February 2026 · Document Ref: HHQ-POL-SEC-001
ABN 34 689 167 477 · ACN 689 167 477
Security and
Data Protection
How we protect your data and maintain platform integrity
Effective Date: 11 February 2026
Document Reference: HHQ-POL-SEC-001
Classification: PUBLIC
Review Cycle: Annual (or upon material change)
1. Our Commitment
At Handover HQ Pty Ltd, the security and protection of your data is fundamental to everything we build. As an AI-powered platform that processes sensitive employee knowledge and organisational data, we recognise the critical importance of maintaining the highest standards of data security.
This document provides an overview of our security practices, infrastructure, and the measures we take to protect your information. These protections apply equally to all users, whether on the three (3) month Free Trial or a paid subscription plan.
2. Infrastructure Security
2.1 Cloud Hosting
Handover HQ’s platform is hosted on managed cloud infrastructure, with customer data held in Australia. Our primary database and authentication layer (Supabase) run on AWS ap-southeast-2 (Sydney), and our application API (Fly.io) runs in the Sydney region. Frontend delivery uses Vercel’s global edge network with a Sydney point of presence. A full list of infrastructure providers is maintained in our Sub-processor Register at handoverhq.com/legal/sub-processors (or handoverhq.ai/legal/sub-processors).
Our infrastructure is designed with the following principles:
2.2 Network Security
3. Data Encryption
3.1 In Transit
All data transmitted between your browser or application and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints and employ HSTS (HTTP Strict Transport Security) headers to prevent protocol downgrade attacks.
3.2 At Rest
All data stored on our servers is encrypted at rest using AES-256 encryption. This includes account data, Handover Content (questionnaire responses, documents, voice recordings, transcriptions), and all backup data.
3.3 Key Management
Encryption keys are managed through industry-standard key management services with regular key rotation. Access to encryption keys is strictly limited to authorised personnel and systems.
4. Access Controls
4.1 Authentication
4.2 Authorisation
4.3 Internal Access
Access to customer data by Handover HQ employees is strictly controlled:
5. AI Model Security
Given the central role of AI in our platform, we apply specific security measures to our AI processing pipeline:
6. Data Processing and Storage
6.1 Data Residency
Customer data is stored at rest in Australia (AWS ap-southeast-2, Sydney). Certain sub-processors that support the Service — for example AI processing and email delivery — operate in the United States; where data is transferred internationally, we apply the safeguards described in our Privacy Policy and Data Processing Agreement. Enterprise customers with specific data residency requirements should contact security@handoverhq.com / security@handoverhq.ai.
6.2 Data Backup and Recovery
6.3 Data Deletion
When you delete data or close your account, we follow a defined data deletion process:
6.4 Free Trial Data Handling
Data collected and processed during the three (3) month Free Trial receives the same level of security protection as data under paid subscriptions. Upon trial expiry without conversion to a paid plan, your data is retained for thirty (30) days to allow conversion, after which the standard data deletion process applies.
7. Incident Response
Handover HQ maintains a documented incident response plan that includes:
8. Compliance
Handover HQ is committed to meeting the compliance requirements expected by our customers:
[Note: As Handover HQ scales, we intend to pursue SOC 2 Type II certification and ISO 27001 certification. Timelines for these certifications will be communicated to customers as they are confirmed.]
9. Sub-Processors
We engage certain third-party sub-processors to assist in providing the Service. Each sub-processor is bound by data processing agreements that require them to protect your data to standards equivalent to those described in this document.
A full, current sub-processor list is published in our Sub-processor Register at handoverhq.com/legal/sub-processors (or handoverhq.ai/legal/sub-processors) and in our Trust Centre at handoverhq.com/trust (or handoverhq.ai/trust). We provide at least 30 days’ advance notice of any new sub-processor; email security@handoverhq.com / security@handoverhq.ai to subscribe to change notifications.
10. Responsible Disclosure
We welcome responsible disclosure of security vulnerabilities. If you discover a vulnerability in our Service, please report it to security@handoverhq.com / security@handoverhq.ai. We ask that you:
We commit to acknowledging your report within 48 hours and working with you to understand and resolve the issue promptly.
11. Contact Us
For security-related enquiries or to request further detail about our security practices, please contact us at:
Security Team: security@handoverhq.com / security@handoverhq.ai
General Enquiries: enquiries@handoverhq.com / enquiries@handoverhq.ai
Handover HQ Pty Ltd (ABN 34 689 167 477 · ACN 689 167 477)
Websites: handoverhq.com and handoverhq.ai