Handover HQHandover HQ

Security and Data Protection

Effective Date: 11 February 2026 · Document Ref: HHQ-POL-SEC-001

ABN 34 689 167 477 · ACN 689 167 477

Security and

Data Protection

How we protect your data and maintain platform integrity

Effective Date: 11 February 2026

Document Reference: HHQ-POL-SEC-001

Classification: PUBLIC

Review Cycle: Annual (or upon material change)

1. Our Commitment

At Handover HQ Pty Ltd, the security and protection of your data is fundamental to everything we build. As an AI-powered platform that processes sensitive employee knowledge and organisational data, we recognise the critical importance of maintaining the highest standards of data security.

This document provides an overview of our security practices, infrastructure, and the measures we take to protect your information. These protections apply equally to all users, whether on the three (3) month Free Trial or a paid subscription plan.

2. Infrastructure Security

2.1 Cloud Hosting

Handover HQ’s platform is hosted on managed cloud infrastructure, with customer data held in Australia. Our primary database and authentication layer (Supabase) run on AWS ap-southeast-2 (Sydney), and our application API (Fly.io) runs in the Sydney region. Frontend delivery uses Vercel’s global edge network with a Sydney point of presence. A full list of infrastructure providers is maintained in our Sub-processor Register at handoverhq.com/legal/sub-processors (or handoverhq.ai/legal/sub-processors).

Our infrastructure is designed with the following principles:

  • Geographically distributed for resilience and low-latency access across our operating regions (Australia/NZ, UK, US).
  • Automatic scaling to handle varying workloads without service degradation.
  • Redundant systems with failover capabilities to ensure high availability.
  • 2.2 Network Security

  • All external traffic is routed through firewalls and web application firewalls (WAFs).
  • DDoS protection is implemented at the network edge.
  • Internal network segmentation isolates critical systems and limits lateral movement.
  • Regular vulnerability scanning and penetration testing is conducted.
  • 3. Data Encryption

    3.1 In Transit

    All data transmitted between your browser or application and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints and employ HSTS (HTTP Strict Transport Security) headers to prevent protocol downgrade attacks.

    3.2 At Rest

    All data stored on our servers is encrypted at rest using AES-256 encryption. This includes account data, Handover Content (questionnaire responses, documents, voice recordings, transcriptions), and all backup data.

    3.3 Key Management

    Encryption keys are managed through industry-standard key management services with regular key rotation. Access to encryption keys is strictly limited to authorised personnel and systems.

    4. Access Controls

    4.1 Authentication

  • Multi-factor authentication (MFA) is available for all user accounts and is strongly recommended.
  • SSO/SAML integration is available on Business and Enterprise plans for centralised identity management.
  • Password policies enforce minimum complexity requirements.
  • Session management includes automatic timeout after periods of inactivity.
  • 4.2 Authorisation

  • Role-based access control (RBAC) ensures users only access data and features appropriate to their role.
  • Principle of least privilege is applied to all system access.
  • Administrative access requires separate authentication and is subject to audit logging.
  • 4.3 Internal Access

    Access to customer data by Handover HQ employees is strictly controlled:

  • Access is granted on a need-to-know basis and requires management approval.
  • All access to production systems is logged and auditable.
  • Employees undergo security awareness training upon onboarding and annually thereafter.
  • Background checks are conducted for all employees with access to customer data.
  • 5. AI Model Security

    Given the central role of AI in our platform, we apply specific security measures to our AI processing pipeline:

  • Data Isolation: Customer data processed by AI models is isolated per organisation. One customer's data is never used to train models for or generate outputs for another customer. This applies to Free Trial and paid accounts equally.
  • Model Input Sanitisation: All inputs to AI models are sanitised to prevent prompt injection and other AI-specific attack vectors.
  • Output Review: AI-generated outputs are subject to automated quality and safety checks before being presented to users.
  • Third-Party AI Providers: Where we use third-party AI model providers, we ensure contractual obligations require them to process data securely, not retain customer data beyond the processing period, and not use customer data to train their models. [Specific AI providers will be disclosed once confirmed.]
  • 6. Data Processing and Storage

    6.1 Data Residency

    Customer data is stored at rest in Australia (AWS ap-southeast-2, Sydney). Certain sub-processors that support the Service — for example AI processing and email delivery — operate in the United States; where data is transferred internationally, we apply the safeguards described in our Privacy Policy and Data Processing Agreement. Enterprise customers with specific data residency requirements should contact security@handoverhq.com / security@handoverhq.ai.

    6.2 Data Backup and Recovery

  • Automated backups are performed daily with point-in-time recovery capability.
  • Backups are encrypted and stored in geographically separate locations from primary data.
  • Recovery procedures are tested regularly to ensure our stated Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) are met.
  • 6.3 Data Deletion

    When you delete data or close your account, we follow a defined data deletion process:

  • Handover Content is made available for export for 30 days following account closure or Free Trial expiry.
  • After the export period, data is permanently deleted from primary storage within 30 days.
  • Backup copies are purged in accordance with our backup retention schedule (typically within 90 days).
  • Deletion certificates can be provided upon request for Enterprise customers.
  • 6.4 Free Trial Data Handling

    Data collected and processed during the three (3) month Free Trial receives the same level of security protection as data under paid subscriptions. Upon trial expiry without conversion to a paid plan, your data is retained for thirty (30) days to allow conversion, after which the standard data deletion process applies.

    7. Incident Response

    Handover HQ maintains a documented incident response plan that includes:

  • Detection: Automated monitoring and alerting systems to detect potential security incidents in real time.
  • Assessment: Rapid triage and assessment of incident severity and scope by our security team.
  • Containment: Immediate steps to contain the incident and prevent further impact.
  • Notification: In the event of a data breach affecting your personal information, we will notify you and relevant authorities as required by applicable law, including the Australian Notifiable Data Breaches (NDB) scheme, GDPR, and other applicable breach notification requirements. This obligation extends to data held during Free Trial periods.
  • Remediation: Root cause analysis and implementation of measures to prevent recurrence.
  • Post-Incident Review: Documentation and lessons-learned process to continuously improve our security posture.
  • 8. Compliance

    Handover HQ is committed to meeting the compliance requirements expected by our customers:

  • Privacy Act 1988 (Cth): Compliance with Australian Privacy Principles (APPs) and the Notifiable Data Breaches scheme.
  • GDPR: Compliance with the EU General Data Protection Regulation for our European customers.
  • UK Data Protection Act 2018: Compliance with UK data protection requirements.
  • CCPA: Compliance with the California Consumer Privacy Act.
  • [Note: As Handover HQ scales, we intend to pursue SOC 2 Type II certification and ISO 27001 certification. Timelines for these certifications will be communicated to customers as they are confirmed.]

    9. Sub-Processors

    We engage certain third-party sub-processors to assist in providing the Service. Each sub-processor is bound by data processing agreements that require them to protect your data to standards equivalent to those described in this document.

    A full, current sub-processor list is published in our Sub-processor Register at handoverhq.com/legal/sub-processors (or handoverhq.ai/legal/sub-processors) and in our Trust Centre at handoverhq.com/trust (or handoverhq.ai/trust). We provide at least 30 days’ advance notice of any new sub-processor; email security@handoverhq.com / security@handoverhq.ai to subscribe to change notifications.

    10. Responsible Disclosure

    We welcome responsible disclosure of security vulnerabilities. If you discover a vulnerability in our Service, please report it to security@handoverhq.com / security@handoverhq.ai. We ask that you:

  • Allow us reasonable time to investigate and address the vulnerability before any public disclosure.
  • Do not access or modify data belonging to other users.
  • Act in good faith to avoid disruption to the Service.
  • We commit to acknowledging your report within 48 hours and working with you to understand and resolve the issue promptly.

    11. Contact Us

    For security-related enquiries or to request further detail about our security practices, please contact us at:

    Security Team: security@handoverhq.com / security@handoverhq.ai

    General Enquiries: enquiries@handoverhq.com / enquiries@handoverhq.ai

    Handover HQ Pty Ltd (ABN 34 689 167 477 · ACN 689 167 477)

    Websites: handoverhq.com and handoverhq.ai