Get a demo
Security Overview

Security Overview

The controls behind Heyou's product — tenant isolation, EU data residency, encryption, AI-call PII minimization, SSO/MFA, third-party penetration testing, and our incident-response posture.

Effective: 2026-05-10Last updated: 2026-05-10Version: 1.0
In this document

1. Certifications and Frameworks

  • ISO/IEC 27001:2022 — Certified. SII Certificate No. 1127825 (ANAB-accredited), IQNET registration IL-1127825, valid 23 Apr 2026 → 23 Apr 2029. Download SII certificate · Download IQNET attestation.
  • SOC 2 Type II — Audit engagement signed; observation period in flight. Download letter of intent. The final SOC 2 Type II report will be available under MNDA on completion.
  • ISO/IEC 42001:2023 — Under internal evaluation.
  • ISO/IEC 27018:2019 — Under internal evaluation.

2. Architecture

Heyou runs on Google Cloud Platform using a managed-services architecture. Customer Data is logically isolated at the application, database, and object-storage layer at the tenant organization level. User Data connected from personal resources is further isolated at the User level within a tenant, scoped by user ID such that Customer admins and other Authorized Users cannot retrieve it unless the connecting User has affirmatively shared specific data with the organization.

User Data is protected by the same encryption, tenant-scoping, and access controls described in this Security Overview. The architectural distinction is scope of access — User-only versus tenant-wide — not a separate security stack.

Data Residency

Customers can be configured for region-aligned deployment. For EU tenants, Customer Data is stored in Google Cloud’s europe-north1 region in Finland unless otherwise agreed. US regional deployment may be available where applicable. AI processing through Vertex AI / Gemini is configured to align with the customer’s tenant region where supported by the provider, model, and endpoint configuration.

Browser Extension Posture

The Heyou Browser Extension is the surface most CISOs scrutinize first. The platform is engineered so Heyou's backend has no token, no credential, and no privileged path to act against any user's third-party accounts — and so customer administrators retain full enterprise control over what gets installed and how.

In short: Heyou never receives, stores, or replays a token capable of reading, posting, or taking action on a user's behalf. All read operations occur inside the user's authenticated browser session via the extension. The extension is Manifest V3, distributed exclusively through the Chrome Web Store under a stable extension ID, and deployable via standard Chrome enterprise policies (ExtensionInstallForcelist, ExtensionSettings for version pinning, ExtensionInstallBlocklist) through Microsoft Intune, Jamf, Google Workspace, JumpCloud, or any MDM that pushes Chrome policy.

The full posture — per-permission table with justifications, egress allowlist, publisher-account controls, ownership-transfer commitments, and revocation flow — is documented in the Public Trust Overview, §14 Browser Extension Security Posture.

3. Encryption and PII Protection

  • At rest: customer data stores and backups are encrypted using Google-managed encryption or equivalent managed cloud encryption.
  • In transit: TLS is used on network paths.
  • Secrets: managed through Google Secret Manager; secrets are not stored in source code or build logs.
  • PII minimization: where direct identifiers are not required for third-party generative AI processing, identifiers such as names, email addresses, and phone numbers may be masked with placeholders before model calls, then re-associated inside Heyou.

4. Access Control

  • SSO support via standard enterprise identity protocols.
  • MFA enforced for internal administrators.
  • Role-based access controls in-product.
  • Audit logs available for relevant administrative and security events.
  • Production access is limited to approved operational needs and governed by least-privilege principles.
  • Access reviews and prompt revocation processes are maintained.

5. Software Development Lifecycle

  • Code review required for production changes.
  • Branch protection for production branches.
  • Static analysis, dependency scanning, and secrets scanning in CI.
  • Vulnerability scanning of applications and infrastructure.
  • Dependency patching based on severity.
  • Change management with rollback procedures.

6. Vulnerability Management

  • Continuous scanning of infrastructure and applications.
  • Coordinated vulnerability disclosure via dpo@heyou.io.
  • Good-faith vulnerability reports are welcomed and handled under Heyou’s coordinated disclosure process.
  • Third-party penetration testing and remediation tracking are performed as part of the security program.

7. Monitoring and Incident Response

  • 24/7 on-call coverage.
  • Documented incident-response runbooks.
  • Centralized security and audit logs.
  • Post-incident review process.
  • Customer notification for confirmed material security incidents involving Customer Data in accordance with the DPA.

8. Business Continuity and Disaster Recovery

  • Encrypted backups.
  • Recovery processes aligned with service availability objectives.
  • Disaster-recovery and crisis-response procedures.
  • Testing and tabletop exercises as appropriate to the maturity of the program.

9. People

  • Confidentiality agreements for personnel.
  • Security and privacy training.
  • Role-based training for functions with elevated access.
  • Secure device-management practices, including disk encryption and patching.

10. Vendor Management

  • Risk-tiered vendor assessment before onboarding.
  • Contractual controls including DPA, security addendum where applicable, and confidentiality commitments.
  • Re-review for critical vendors.
  • Subprocessor change notification in accordance with the DPA.
Architecture

Where your data sits, and what touches it.

Two diagrams: the app-side data flow (sources → ingestion → classification → relationship intelligence → human review → outputs), and the underlying GCP infrastructure (Cloud Run + Cloud SQL Postgres + Vertex AI in europe-north1). Tenant isolation at every layer.

Privacy, AI governance, and the human-in-the-loop execution boundary.
Security and managed-service boundaries in europe-north1.

Click either diagram to inspect at full size. PDF versions available on request for trust-review packs — email dpo@heyou.io.