Log inGet started
Security

How we keep your data safe

Last updated: April 30, 2026

The information you put into HomeBase is sensitive. It tells someone when you are not home, who has been inside your house, what you spent, and the systems your home runs on. We treat that responsibility seriously. This page describes the controls we have in place today and the practices we follow as we build. If you are a security researcher, jump to Vulnerability Disclosure.

The short version

  • All data is encrypted in transit and at rest. Backups are encrypted too.
  • Authorization is enforced at the database, not just in our app code. Even a buggy query cannot return another user's data.
  • Our infrastructure runs on SOC 2 Type II audited providers in the United States.
  • We do not store payment cards, government IDs, or anything we do not need.
  • Forwarded receipt content is sent to our AI vendor only for the extraction itself, is not used to train any model, and is held briefly for abuse prevention only.
  • We have a documented vulnerability disclosure policy with safe harbor for good-faith researchers.

Encryption

All traffic to and from HomeBase is encrypted in transit using modern TLS (1.2 or higher) with HSTS. The Postgres database that stores your account, services, providers, history, profile, and inbound receipts is encrypted at rest with AES-256. Files you upload (photos, PDFs, raw email, attachments) are stored in object storage that is also encrypted at rest, and are served via short-lived signed URLs scoped to your account. Database backups are encrypted, and credentials and API keys are stored in our hosting platform's encrypted secrets store.

Authentication

Authentication is handled by Supabase Auth. Passwords are hashed with bcrypt before they reach our database; we never see your plaintext password and we cannot recover it for you. If you forget it, you can reset it via the email on your account using a single-use, time-limited link. Sessions are issued as JSON Web Tokens with short access-token lifetimes and a separate refresh token rotation. You can sign out of all devices from your account settings. We will introduce optional multi-factor authentication and OAuth sign-in (Apple, Google) before general availability.

Authorization (row-level security)

HomeBase uses Postgres row-level security (RLS) at the database layer. Every per-user table (home_profiles, services, providers, service_events, removed_services, inbound_receipts, and others) has policies that allow access only to rows whose user_id matches the requesting user's auth.uid(). That means even if a query inside our application code went wrong, the database itself would refuse to return another user's rows. RLS policies are version-controlled in our migrations, reviewed on every change, and tested. Our public provider directory is read-only to users and is the only table that crosses user boundaries by design.

Inbound email security

You can forward invoices and quotes to a private address in the in.homebaseapp.io domain. We process inbound mail through Postmark with the following controls:

  • Webhook authentication. Postmark posts to our ingestion endpoint with a shared-secret token; requests without the correct token are rejected with HTTP 401.
  • SPF and DKIM verification.Inbound messages that fail both SPF and DKIM are dropped before any processing, which closes the obvious “From: victim@gmail.com” spoofing path.
  • Size and attachment caps. We enforce a 10 MB payload cap and a maximum of ten attachments per message; over either limit, the message is dropped without persistence.
  • HEIC normalization. Apple HEIC images are converted to JPEG inside our Vercel function before any AI processing, so we do not pass arbitrary container formats to downstream services.
  • Account scoping. The recipient address embeds a per-account token; messages addressed to an unknown account are dropped.

AI processing

When you forward an invoice or receipt, HomeBase calls the Anthropic Claude API to extract structured fields (service name, category, provider, cost, date, notes). We send only the email body and the necessary attachments for that single extraction. We do not send your home profile, your service history, or any other account data. By contract:

  • Anthropic does not use API content to train its models.
  • Anthropic retains API logs for a short period (currently up to seven days) for abuse prevention and not for training.
  • We surface the AI's output to you for review before anything is committed to your service history; you can edit or dismiss the proposal.
  • We do not use any AI to make decisions about you that produce legal or similarly significant effects.

Infrastructure

HomeBase runs on:

  • Vercel for hosting, edge runtime, and analytics.
  • Supabase for Postgres, authentication, file storage, and serverless functions.
  • Postmark (ActiveCampaign) for outbound and inbound email.
  • PostHog for product analytics.
  • Anthropic for the receipt extraction API described above.

Vercel and Supabase operate from SOC 2 Type II audited US data centers. We do not run our own physical servers. Production deployments go through code review, automated linting and type checks, and deploy to Vercel previews for QA before promotion to production. Secrets are stored in Vercel's and Supabase's encrypted environment configuration, never in source.

Access controls inside HomeBase

Access to production systems is limited to the engineers who need it. We use single sign-on, hardware security keys for administrative access, and the principle of least privilege. We log administrative actions. We do not look at customer data except where necessary to support a request you have made or to investigate a security incident.

Logging and monitoring

We log application errors, request metadata, and authentication events for security and debugging. Logs are retained for up to ninety days. We do not log secrets, plaintext passwords, or full request bodies for sensitive endpoints. We monitor uptime, latency, and error rates and are paged on production incidents.

Backups and disaster recovery

The HomeBase database is backed up automatically by Supabase multiple times per day, with point-in-time recovery within the recent retention window. Backups are encrypted. We periodically test our ability to restore. Our recovery objective is to bring the Service back online within hours of a major outage and to lose no more than the last few minutes of writes; we do not commit to a contractual SLA during the public beta.

Data minimization

We collect only what we need to run the Service. We do not request or store payment card numbers, Social Security numbers, government IDs, or other sensitive personal information. The home profile fields are optional beyond the address, and you control how much you fill in. You can delete individual records or your entire account at any time; full retention details are in our Privacy Policy.

Vendor and sub-processor security

Before we onboard a sub-processor we review its security posture (independent audits where available, encryption practices, access controls, breach history) and execute a written data processing agreement. We re-review sub-processors at least annually. The current list of sub-processors and the data each one handles is published in our Privacy Policy.

Secure development

Our codebase uses TypeScript end-to-end, dependency scanning on every push, and code review for changes that touch authentication, authorization, or the database. We test row-level security policies as part of our migration workflow so that a regression cannot ship silently. We rotate credentials when team members change and after any suspected exposure.

Privacy by design

Every feature we build is reviewed against three questions: what new data does this collect, who needs to read it, and how does it eventually get deleted. Data we collect is associated with your account and protected by RLS by default; opting a feature out of RLS is the rare exception, not the rule.

Incident response and breach notification

If we discover a security incident affecting your data we will investigate, contain, and remediate the issue, and we will notify you without undue delay where required by law and in any event within seventy-two hours of confirming a personal data breach under GDPR. Notifications include a description of the incident, the categories of data involved, the likely consequences, and the steps we are taking. We will also notify regulators as required.

Vulnerability disclosure

If you believe you have found a security vulnerability in HomeBase, please tell us. Email security@homebaseapp.iowith the subject line beginning “Security:” and include enough information to reproduce the issue. We commit to acknowledging your report within two business days, providing an initial assessment within seven days, and keeping you updated on our progress.

Safe harbor. We consider security research conducted in good faith and consistent with this policy to be authorized. We will not pursue civil action or refer your report to law enforcement when you act in good faith. To stay within safe harbor, please:

  • Test only against accounts you own. Do not access or modify any other user's data.
  • Stop testing and report immediately if you encounter another user's data, and do not retain it.
  • Do not perform attacks that degrade the Service for others (denial of service, social engineering of HomeBase staff or other users, physical attacks).
  • Give us a reasonable opportunity to fix the issue before disclosing it publicly. We aim for a ninety-day default disclosure window and will work with you on extensions when warranted.
  • Comply with applicable law, including the US Computer Fraud and Abuse Act and equivalent laws elsewhere.

We do not currently offer monetary bug bounties; we will publicly credit researchers who follow this policy and ask to be named. If a third party brings a legal action against you for activity that complied with this policy, we will make our authorization clear.

What you can do

The most common cause of account compromise is a weak or reused password. Use a password manager and a unique strong password for HomeBase. If you ever suspect your account has been compromised, sign out of all devices from your account settings, reset your password, and email security@homebaseapp.io so we can help.

Contact

For security issues, email security@homebaseapp.io. For general questions, email hello@homebaseapp.io.