Get a demoRequest access
Security Overview

Security Overview

The controls behind Heyou's product — tenant isolation, EU data residency, encryption, AI-call PII minimization, SSO/MFA, third-party penetration testing, and our incident-response posture.

Effective: 2026-05-10Last updated: 2026-05-10Version: 1.0
In this document

1. Certifications and Frameworks

  • ISO/IEC 27001:2022 — Certified. SII Certificate No. 1127825 (ANAB-accredited), IQNET registration IL-1127825, valid 23 Apr 2026 → 23 Apr 2029. Download SII certificate · Download IQNET attestation.
  • SOC 2 Type II — Audit engagement signed; observation period in flight. Download letter of intent. The final SOC 2 Type II report will be available under MNDA on completion.
  • ISO/IEC 42001:2023 — Under internal evaluation.
  • ISO/IEC 27018:2019 — Under internal evaluation.

2. Architecture

Heyou runs on Google Cloud Platform using a managed-services architecture. Customer Data is logically isolated at the application, database, and object-storage layer at the tenant organization level. User Data connected from personal resources is further isolated at the User level within a tenant, scoped by user ID such that Customer admins and other Authorized Users cannot retrieve it unless the connecting User has affirmatively shared specific data with the organization.

User Data is protected by the same encryption, tenant-scoping, and access controls described in this Security Overview. The architectural distinction is scope of access — User-only versus tenant-wide — not a separate security stack.

Data Residency

Customers can be configured for region-aligned deployment. For EU tenants, Customer Data is stored in Google Cloud’s europe-north1 region in Finland unless otherwise agreed. US regional deployment may be available where applicable. AI processing through Vertex AI / Gemini is configured to align with the customer’s tenant region where supported by the provider, model, and endpoint configuration.

3. Encryption and PII Protection

  • At rest: customer data stores and backups are encrypted using Google-managed encryption or equivalent managed cloud encryption.
  • In transit: TLS is used on network paths.
  • Secrets: managed through Google Secret Manager; secrets are not stored in source code or build logs.
  • PII minimization: where direct identifiers are not required for third-party generative AI processing, identifiers such as names, email addresses, and phone numbers may be masked with placeholders before model calls, then re-associated inside Heyou.

4. Access Control

  • SSO support via standard enterprise identity protocols.
  • MFA enforced for internal administrators.
  • Role-based access controls in-product.
  • Audit logs available for relevant administrative and security events.
  • Production access is limited to approved operational needs and governed by least-privilege principles.
  • Access reviews and prompt revocation processes are maintained.

5. Software Development Lifecycle

  • Code review required for production changes.
  • Branch protection for production branches.
  • Static analysis, dependency scanning, and secrets scanning in CI.
  • Vulnerability scanning of applications and infrastructure.
  • Dependency patching based on severity.
  • Change management with rollback procedures.

6. Vulnerability Management

  • Continuous scanning of infrastructure and applications.
  • Coordinated vulnerability disclosure via security@heyou.com.
  • Good-faith vulnerability reports are welcomed and handled under Heyou’s coordinated disclosure process.
  • Third-party penetration testing and remediation tracking are performed as part of the security program.

7. Monitoring and Incident Response

  • 24/7 on-call coverage.
  • Documented incident-response runbooks.
  • Centralized security and audit logs.
  • Post-incident review process.
  • Customer notification for confirmed material security incidents involving Customer Data in accordance with the DPA.

8. Business Continuity and Disaster Recovery

  • Encrypted backups.
  • Recovery processes aligned with service availability objectives.
  • Disaster-recovery and crisis-response procedures.
  • Testing and tabletop exercises as appropriate to the maturity of the program.

9. People

  • Confidentiality agreements for personnel.
  • Security and privacy training.
  • Role-based training for functions with elevated access.
  • Secure device-management practices, including disk encryption and patching.

10. Vendor Management

  • Risk-tiered vendor assessment before onboarding.
  • Contractual controls including DPA, security addendum where applicable, and confidentiality commitments.
  • Re-review for critical vendors.
  • Subprocessor change notification in accordance with the DPA.
Architecture

Where your data sits, and what touches it.

Two panels: the app-side data flow (sources → ingestion → classification → relationship intelligence → LLM orchestration with human review), and the underlying GCP infrastructure (Cloud Run + Cloud SQL Postgres + Vertex AI in europe-north1). Tenant isolation at every layer.

Heyou architecture diagram, two panels: app and data flow with privacy and AI governance controls, and GCP cloud infrastructure with Cloud Run, Cloud SQL Postgres, Vertex AI, Cloud Storage, Secret Manager, Cloud NAT, and EU data residency in europe-north1.
Click the diagram for the full-size image. PDF version available on request for trust-review packs.