H3 MarkH3ight

Security & Trust

Last Updated: April 5, 2026

At H3ight, security is foundational to everything we build. Our platform manages safety-critical data for rope access companies—equipment inspections, compliance records, workforce certifications, and financial information. We take the responsibility of protecting this data seriously.

This page outlines the security practices, architecture, and policies that protect your data on the H3ight Platform.

1. Data Encryption

1.1 Encryption in Transit

All data transmitted between your browser or device and our servers is encrypted using TLS (Transport Layer Security). This ensures that your data cannot be intercepted or read by unauthorized parties during transmission.

  • All API endpoints enforce HTTPS
  • TLS 1.2+ is required for all connections
  • HTTP Strict Transport Security (HSTS) headers are enforced

1.2 Encryption at Rest

All data stored in our databases and file storage systems is encrypted at rest using industry-standard encryption algorithms. This includes:

  • PostgreSQL database encryption provided by our hosting infrastructure
  • File storage encryption in Cloudflare R2 (S3-compatible object storage)
  • Automated encrypted backups with point-in-time recovery capabilities

2. Authentication & Session Security

2.1 Password Security

User passwords are never stored in plain text. We use PBKDF2 with SHA256 hashing, an industry-standard key derivation function that makes brute-force attacks computationally infeasible. Each password is salted with a unique, randomly generated value.

2.2 Session Management

Authentication tokens are managed using httpOnly cookie-based JWTs (JSON Web Tokens). This approach provides several security advantages:

  • httpOnly cookies prevent client-side JavaScript from accessing tokens, mitigating XSS attacks
  • Secure flag ensures cookies are only transmitted over HTTPS
  • SameSite attributes protect against cross-site request forgery (CSRF)
  • Tokens have limited lifetimes with automatic refresh mechanisms

3. Multi-Tenant Data Isolation

The H3ight Platform is a multi-tenant system where each organization's data is strictly isolated. We enforce data isolation at the database level using Row-Level Security (RLS) in PostgreSQL.

  • Every database query is automatically scoped to the authenticated user's organization
  • RLS policies are enforced at the PostgreSQL level, meaning data isolation cannot be bypassed by application-level bugs
  • Users can only access data belonging to their own organization
  • Cross-tenant data access is architecturally impossible under normal operation

4. Role-Based Access Control (RBAC)

Access within each organization is controlled through a role-based permission system with four tiers:

  • Admin — Full access to all organizational settings, user management, and data. Can invite/remove users and manage billing.
  • Manager — Can create, edit, and delete operational records (assets, inspections, projects). Can manage day-to-day operations.
  • Inspector — Can conduct inspections, record findings, and view assigned assets. Limited write access focused on inspection workflows.
  • Viewer — Read-only access to organizational data. Ideal for clients or stakeholders who need visibility without edit permissions.

Permission checks are enforced at the API level on every request, ensuring that users can only perform actions appropriate to their role.

5. Audit Logging

All API operations on the H3ight Platform are logged through our audit logging system. Every request records:

  • The authenticated user and their organization
  • The HTTP method and endpoint accessed
  • Timestamp of the request
  • Response status code
  • Request duration

Audit logs provide a complete trail of all actions taken within your organization, supporting compliance requirements and enabling investigation of any suspicious activity. Logs are retained in accordance with our data retention policies.

6. Infrastructure

The H3ight Platform is hosted on trusted, enterprise-grade infrastructure providers:

  • Render — Application hosting and managed PostgreSQL database. Render provides automatic scaling, zero-downtime deploys, and built-in DDoS protection.
  • Cloudflare R2 — S3-compatible object storage for file uploads (equipment photos, documents). Data is encrypted at rest and served over encrypted connections.
  • PostgreSQL — Our primary database, providing ACID compliance, row-level security, and robust data integrity guarantees.

All infrastructure is hosted in the United States. Regular automated backups ensure data recovery capabilities in the event of hardware failure or other incidents.

7. Compliance-Ready Architecture

The H3ight Platform is built with compliance in mind from the ground up:

  • Soft delete — Records are never permanently deleted immediately. Instead, they are marked as deleted and retained for audit purposes, ensuring a complete historical trail.
  • Full audit trail — Every change to every record is logged, providing a verifiable history of all data modifications.
  • Data export — Organizations can export their data at any time in standard formats (CSV, JSON, PDF) for external audits or regulatory requirements.
  • Inspection scheduling — Configurable inspection intervals with automatic due-date tracking help organizations maintain compliance with IRATA/SPRAT and other industry standards.
  • Digital signatures — Safety documents (JSAs, Safe Work Plans) support digital signatures for accountability.

8. Application Security Practices

  • Input validation — All user inputs are validated and sanitized on both the client and server side to prevent injection attacks.
  • CORS policies — Cross-Origin Resource Sharing is configured to only allow requests from authorized domains.
  • Rate limiting — API endpoints are rate-limited to prevent abuse and brute-force attacks.
  • Dependency management — We regularly update dependencies and monitor for known vulnerabilities.
  • Secure defaults — The platform is configured with security-first defaults, including strict content security policies and secure cookie settings.

9. Incident Response

In the event of a security incident, H3ight follows a structured response process:

  1. Detection and containment — Identify and contain the incident to prevent further impact.
  2. Assessment — Determine the scope, severity, and affected data.
  3. Notification — Affected users and organizations are notified within 72 hours, as required by applicable data protection laws.
  4. Remediation — Implement fixes and preventive measures to address the root cause.
  5. Post-incident review — Document lessons learned and update security practices accordingly.

10. Reporting Security Issues

If you discover a security vulnerability or have concerns about the security of the H3ight Platform, please contact us immediately:

Email: security@h3ight.com

We take all security reports seriously and will respond promptly. We ask that you:

  • Provide sufficient detail to reproduce the issue
  • Allow reasonable time for us to address the vulnerability before public disclosure
  • Do not access or modify other users' data during your research

11. Contact Us

For questions about our security practices or to request additional information, contact us:

Security: security@h3ight.com
General: hello@h3ight.com
Mail:
H3ight LLC
PO Box 370922
Las Vegas, NV 89137

This Security & Trust page was last updated on the date shown above. We continuously improve our security practices and will update this page as our security posture evolves.