Security as a first-class concern.
Premium interior projects involve seven-figure budgets, vendor contracts, design IP, and family financial decisions. HSIOS™ is engineered with the same security posture you'd expect from a private banking application — because the data deserves it.
How your project is protected.
Six engineering primitives that work together to keep your data isolated, your decisions auditable, and your AI assistance privacy-respecting.
Per-Tenant Isolation
Every query, every event, every Socket.io broadcast is scoped to your tenant. Cross-tenant access returns 404 (never leaks existence). Verified at middleware, service, and socket layers — three independent checks, not one.
Refresh-Token Rotation
Each refresh issues a fresh token and burns the previous one. Reuse of an already-rotated token revokes the entire token family — a strong signal that a session was stolen. Reused tokens trigger an immediate logout and security notification.
Role-Based AI Sanitisation
AI Co-Pilot context is filtered by your role before any prompt reaches a model. Homeowner prompts cannot surface vendor markups. Vendor prompts cannot extract internal financials. The model only sees what your role is permitted to see.
Encrypted Daily Backups
Custom-format pg_dump runs daily with structural verification. Archived to a separate region, retention-pruned automatically, and validated for restorability — backups that are not restorable are not backups.
Documented Audit Trail
Every state change is captured in an immutable event log — approvals, change orders, vendor swaps, snags, sign-offs. 180-day retention by default, exportable on demand. Auditors get a structured paper trail, not a chat history.
Per-Request CSP Nonce
Every page response is served with a unique per-request Content Security Policy nonce. Inline scripts that did not originate from HSIOS™ cannot execute. Mitigates an entire class of script-injection attacks at the browser level.
Hardening, all the way down the stack.
Six concrete controls applied at the transport, application, and storage layers.
HTTPS-only with HSTS preload
Strict Transport Security with 2-year max-age, includeSubDomains, and preload. HTTP traffic is rejected before the application ever sees the request.
Rate limiting per identity
500 requests per 15 minutes globally, 30 AI requests per 10 minutes per user. Protects platform availability without throttling legitimate work.
Email + OTP verification
Verification tokens are single-use, time-bound, and rate-limited. Forgot-password and resend-verification flows never confirm whether an email exists — no enumeration leak.
Mass-assignment guard
Patch endpoints use explicit field allowlists. A request body cannot promote a user, change a project's tenant, or overwrite an audit field — even if the field is present in the JSON.
Field-level immutability
Document file URLs and version numbers are write-once after creation. To version a document, you create a new record — you do not overwrite the original. The audit trail is preserved by design.
OTP fail-closed in production
Vendor and Client portals refuse to accept any developer-mode OTP in production environments unless an explicit override env var is set. Dev convenience never leaks into prod.
Common Security Questions
Where is my project data stored?
On a Linux VPS in a region of your choosing. The database runs locally on the host with SSL-required connections. Backups are encrypted before leaving the host. Object storage (uploads) is on the same infrastructure — no third-party cloud handles your photos or documents.
Who can see my financials?
Only roles that are explicitly authorised: Founder, Admin, Project Manager, and Finance Manager see raw cost data. Client and Vendor roles see aggregated bands (e.g. "1–2 Cr range", "70-80% spent") — never raw vendor invoices, markups, or internal notes. The AI Co-Pilot enforces the same boundary.
What happens if my login is compromised?
Refresh tokens are family-tracked. If a stolen token is replayed, the entire family is revoked instantly and the legitimate user is logged out with a "Session reuse detected" message. You then re-authenticate fresh, which invalidates the stolen credentials.
Is the AI Co-Pilot a privacy risk?
No. Project context is sanitised by role before any prompt reaches the AI provider. A Client-role prompt cannot extract financials the Client was never shown. A Vendor-role prompt cannot reach another vendor's data. The sanitisation runs server-side; there is no client-side path to bypass it.
Do you retain my project data forever?
Event logs are pruned after 180 days by default — retention is tunable per tenant. Refresh tokens are pruned 14 days after expiry. Project records use a soft-delete archive flag so historical data is recoverable; nothing is hard-deleted without explicit action.
Can I export my data?
Yes. Project records, BOQ items, execution logs, audit trail, and uploaded documents are all exportable on demand. The platform stores your data in your project — not against your project. Portability is a first-class concern, not an afterthought.
Talk to our team about enterprise terms.
For NRI engagements, multi-stakeholder developments, and projects with specific data-residency or audit-cycle requirements, we can share a more detailed security brief on request.