Data Storage Policy
Last updated: January 2026
This policy describes how Hilma (operated by Mindtrack AB) stores and protects Customer Data.
1. Data Storage Infrastructure
Hilma stores Customer Data using the following infrastructure:
| Component | Provider | Location |
|---|---|---|
| Primary Database | Supabase (PostgreSQL) | AWS eu-central-2 (Zurich) |
| Application Hosting | Vercel | Global Edge Network, Functions: Stockholm (arn1), Frankfurt (fra1), Washington D.C. (iad1) |
| Static Assets | Vercel CDN | Global Edge Network |
| Database Backups | Supabase | Same region as primary database |
2. Encryption
2.1 Data at Rest
- Database: All data stored in Supabase is encrypted at rest using AES-256.
- OAuth tokens: Slack and Teams authentication tokens are encrypted using AES-256-GCM before storage.
- Integration tokens: Third-party integration tokens (ClickUp, Linear, etc.) are encrypted using AES-256-GCM.
- Backups: Database backups are encrypted using AES-256.
2.2 Data in Transit
- All connections use TLS 1.3 encryption.
- HSTS (HTTP Strict Transport Security) is enforced.
- API communications with third parties (Slack, Teams, OpenAI) use TLS.
3. Access Controls
- Application-level authorization: All database queries are scoped to the authenticated user's workspace.
- Role-based access: Users can only access data they are authorized to view based on their role (employee, team lead, manager).
- Admin access: Administrative access is limited to authorized Mindtrack AB personnel.
- Audit logging: Database access is logged for security monitoring.
4. Data Segregation
Customer data is logically segregated:
- Each workspace (Slack team or Teams organization) has a unique identifier.
- All queries are scoped to the workspace level.
- Cross-workspace data access is prevented at the application level.
- Individual user data within a workspace is protected based on role permissions.
5. No Local Storage
Hilma does not store Customer Data on local servers or employee devices. All data processing occurs in our cloud infrastructure. No customer data is stored persistently outside of our designated cloud providers.
6. Third-Party Data Processing
Some Customer Data is processed by third-party services:
| Service | Purpose | Data Retention |
|---|---|---|
| OpenAI | AI summaries, coaching, analysis | Zero retention (API usage only, not used for training) |
| Anthropic | AI summaries, coaching, analysis | Zero retention (API usage only, not used for training) |
| Resend | Transactional emails | 30 days |
| Paddle | Payment processing | As required by law |
For a complete list of sub-processors, see our Sub-processors page.
7. Security Measures
- Rate limiting: API endpoints are rate-limited to prevent abuse.
- Webhook verification: All incoming webhooks from Slack and Teams are cryptographically verified.
- CSRF protection: Cross-site request forgery protection on all form submissions.
- Security headers: Strict Transport Security, X-Content-Type-Options, X-Frame-Options, and other security headers are enforced.
- Input validation: All user inputs are validated and sanitized.
8. Incident Response
In the event of a data breach or security incident, Hilma will:
- Investigate and contain the incident within 24 hours
- Notify affected customers within 72 hours as required by GDPR
- Report to relevant supervisory authorities as required
- Provide detailed incident reports upon request
9. Contact
For questions about this policy or our data storage practices, contact us at [email protected].
Mindtrack AB
Organization number: 559383-2859
Sweden