LEGAL

Security

How we protect your data and ensure security

Effective from June 02, 2025

At Happ Labs, security is a foundational principle — not an afterthought. We are committed to protecting the confidentiality, integrity, and availability of all data entrusted to Us, whether it belongs to visitors of Our Website, Our clients, or the end users of the products We help build.

This Security Information page describes the organizational, technical, and procedural measures We implement to safeguard data across Our corporate Website and Our engineering services. It supplements Our Privacy Notice and Terms & Conditions.

"Company" — refers collectively to: (a) Individual Entrepreneur Viacheslav Saloid (ФОП Салоїд В’ячеслав Олександрович), registered under the laws of Ukraine, tax identification number 3628308118, registration record №544422567292 dated 12.01.2022; and (b) HAPP LLC (ТОВ "ХАПП"), registered under the laws of Ukraine, EDRPOU code 46116673 (hereinafter — "Company", "Happ Labs", "We", "Us", "Our").

"Website" — the corporate website available at https://labs.happ.tools.

Introduction
Organizational Security Measures
Technical Security Measures
Infrastructure Security
Application Security
Data Protection
Incident Response
Third-Party Security
Client Project Security
Responsible Disclosure
Contact Information

1. Introduction

Happ Labs is a software engineering company that provides custom software development, consulting, and engineering services to clients worldwide. Security is integral to everything We do — from how We operate Our own Website to how We design, build, and deliver software for Our clients.

We recognize that trust is earned through consistent, transparent, and proactive security practices. This document outlines the measures We take to protect data, systems, and intellectual property — both Our own and that of Our clients.

Our security practices are guided by internationally recognized standards and frameworks, including the General Data Protection Regulation (GDPR), industry best practices for secure software development, and the principle of defense in depth.

2. Organizational Security Measures

We maintain a comprehensive set of organizational controls to ensure that security is embedded in Our culture, processes, and daily operations.

2.1. Internal Policies and Procedures

We have established and maintain internal security policies that govern data handling, access management, incident response, and acceptable use of company systems. These policies are reviewed and updated regularly to reflect changes in the threat landscape and regulatory requirements.

2.2. Staff Training and Awareness

All team members receive security awareness training as part of their onboarding process and on an ongoing basis. Training covers topics such as phishing prevention, secure coding practices, data handling procedures, password hygiene, and incident reporting protocols.

2.3. Non-Disclosure Agreements (NDAs)

All employees, contractors, and third-party collaborators are required to sign Non-Disclosure Agreements (NDAs) before gaining access to any confidential information, client data, or proprietary systems. These agreements establish clear legal obligations regarding the protection and non-disclosure of sensitive information.

2.4. Access Control and Role-Based Permissions

We enforce the principle of least privilege across all systems and services. Access to data, code repositories, infrastructure, and internal tools is granted on a need-to-know basis and is tied to each team member's role and responsibilities. Access rights are reviewed periodically and revoked promptly upon role change or departure.

2.5. Action Logging and Audit Trails

We maintain audit logs for critical systems, including access to production environments, code repositories, and administrative panels. These logs are monitored to detect unauthorized access, anomalous behavior, and policy violations. Log retention periods are aligned with Our data retention policies and regulatory requirements.

3. Technical Security Measures

We implement a layered set of technical controls to protect data and systems against unauthorized access, loss, and compromise.

Measure

Description

Data Encryption

All sensitive data is encrypted both at rest and in transit using industry-standard encryption algorithms (AES-256 for data at rest, TLS 1.2+ for data in transit).

SSL / HTTPS

All communications between users and Our Website, as well as between internal services, are protected using SSL/TLS certificates. HTTPS is enforced on all endpoints with no exceptions.

Two-Factor Authentication (2FA)

Two-factor authentication is required for all team members accessing production systems, code repositories, cloud infrastructure, and administrative tools.

Firewall and Network Security

Firewalls and network segmentation are deployed to restrict unauthorized access to internal systems. Only necessary ports and services are exposed, and all others are blocked by default.

Backup and Recovery

Regular automated backups are performed for all critical data and systems. Backups are encrypted and stored in geographically separate locations. Recovery procedures are tested periodically to ensure business continuity.

Automatic Data Deletion

Data that has exceeded its retention period is automatically and securely deleted from Our systems, in accordance with Our data retention policies and GDPR requirements.

4. Infrastructure Security

Our infrastructure is designed with security as a primary consideration, from the choice of hosting providers to the configuration of individual services.

4.1. Server Location and Compliance

Our servers are located in Germany, within the European Economic Area (EEA). This ensures that all data storage and processing complies with the strict privacy and security standards of the European Union, including the GDPR. Our hosting providers maintain industry-standard certifications and undergo regular independent security audits.

4.2. GDPR-Compliant Hosting

We select hosting and cloud service providers that demonstrate compliance with GDPR and other applicable data protection regulations. Our providers implement physical security controls (such as biometric access, 24/7 surveillance, and environmental protections) as well as logical security controls (such as network isolation, intrusion detection, and DDoS mitigation).

4.3. Regular Security Audits

We conduct regular security assessments of Our infrastructure, including vulnerability scanning, configuration reviews, and penetration testing. Findings are prioritized, remediated promptly, and tracked to completion. We also monitor publicly disclosed vulnerabilities and apply security patches in a timely manner.

5. Application Security

As a software engineering company, We hold Ourselves to the highest standards of secure software development — both for Our own systems and for the products We build for Our clients.

5.1. Secure Software Development Lifecycle (SDLC)

Security is integrated into every phase of Our software development lifecycle. From requirements gathering and architecture design through implementation, testing, and deployment, security considerations are addressed at each stage rather than being treated as a post-development activity.

5.2. Code Review

All code changes undergo mandatory peer review before being merged into production branches. Code reviews include evaluation of security implications, input validation, authentication and authorization logic, error handling, and adherence to secure coding standards.

5.3. Vulnerability Scanning

We employ automated vulnerability scanning tools as part of Our continuous integration and deployment pipelines. These tools identify known vulnerabilities in Our code and its dependencies, enabling Us to detect and address security issues before they reach production environments.

5.4. Dependency Management

We actively monitor and manage third-party dependencies used in Our projects. Dependencies are regularly audited for known vulnerabilities, kept up to date, and replaced when necessary. We use automated tools to track security advisories and apply patches promptly.

6. Data Protection

We take a comprehensive approach to data protection, implementing controls that safeguard data throughout its lifecycle — from collection through processing, storage, and eventual deletion.

6.1. Encryption at Rest and in Transit

All personal data and sensitive information is encrypted at rest using AES-256 or equivalent encryption standards. Data in transit is protected using TLS 1.2 or higher. Encryption keys are managed securely and rotated in accordance with industry best practices.

6.2. Principle of Least Privilege

Access to personal data is restricted to authorized personnel who require it to perform their specific job functions. We enforce role-based access controls across all systems and regularly review access permissions to ensure they remain appropriate. Administrative access to production systems is limited to a minimal number of senior team members.

6.3. Data Minimization

We collect and process only the minimum amount of personal data necessary to fulfill the specific purpose for which it was collected. We do not retain data longer than required by Our retention policies or applicable law. When data is no longer needed, it is securely deleted or anonymized so that it can no longer be associated with an identifiable individual.

7. Incident Response

Despite Our best efforts, no security system is impenetrable. We maintain a documented incident response plan to ensure that any security incidents are handled swiftly, transparently, and in accordance with applicable laws.

7.1. Data Breach Notification (72-Hour GDPR Requirement)

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, We are committed to notifying the relevant supervisory authority within 72 (seventy-two) hours of becoming aware of the breach, as required by Article 33 of the GDPR. The notification will include all necessary details about the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.

7.2. Supervisory Authority Notification

Where a breach is not notified within 72 hours, the notification will be accompanied by reasons for the delay. We maintain records of all personal data breaches, including the facts, effects, and remedial actions taken, to enable the supervisory authority to verify compliance.

7.3. User Notification Procedures

When a personal data breach is likely to result in a high risk to the rights and freedoms of affected individuals, We will communicate the breach to the affected data subjects without undue delay, as required by Article 34 of the GDPR. The notification will describe, in clear and plain language, the nature of the breach, provide contact details of Our data protection point of contact, describe the likely consequences, and outline the measures taken to address the breach and mitigate its effects.

7.4. Incident Response Process

Our incident response process includes the following stages:

Detection and Identification — monitoring systems and team members report potential security incidents through established channels;
Containment — immediate actions are taken to limit the scope and impact of the incident;
Investigation — a thorough analysis is conducted to determine the root cause, scope, and affected data;
Remediation — vulnerabilities are addressed, and measures are implemented to prevent recurrence;
Notification — affected parties, supervisory authorities, and clients are notified as required by law and contractual obligations;
Post-Incident Review — lessons learned are documented, and policies and procedures are updated accordingly.

8. Third-Party Security

We carefully evaluate and monitor all third-party services and vendors that have access to data or are integrated into Our systems and workflows.

8.1. Vendor Assessment

Before engaging any third-party vendor or service provider, We conduct a security assessment to evaluate their data protection practices, security controls, compliance posture, and track record. Only vendors that meet Our security requirements are approved for use. Vendor assessments are reviewed periodically to ensure continued compliance.

8.2. Standard Contractual Clauses (SCCs)

Where third-party services involve the processing or transfer of personal data outside the European Economic Area (EEA), We ensure that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other legally recognized transfer mechanisms under the GDPR.

8.3. Limited Data Sharing Under NDAs

Data sharing with third parties is limited to the minimum necessary for the specific purpose of the engagement. All third parties with access to confidential or personal data are required to sign Non-Disclosure Agreements (NDAs) and data processing agreements that establish clear obligations regarding data protection, security, and confidentiality.

9. Client Project Security

As a software engineering company, We understand that Our clients entrust Us with their most sensitive assets — including proprietary code, business logic, user data, and intellectual property. We take this responsibility seriously and implement dedicated security measures for every client engagement.

9.1. Non-Disclosure Agreements

Every client engagement begins with the execution of a Non-Disclosure Agreement (NDA) that legally binds all parties to maintain the confidentiality of project-related information. NDAs cover source code, technical documentation, business requirements, user data, and any other proprietary information shared during the engagement.

9.2. Isolated Development Environments

Client projects are developed in isolated environments that are logically separated from other projects and from Our internal systems. Access to each project environment is restricted to the specific team members assigned to that engagement. This isolation prevents cross-contamination of data and code between projects and minimizes the blast radius of any potential security incident.

9.3. Secure Communication Channels

All project-related communication is conducted through secure, encrypted channels. Sensitive information such as credentials, API keys, and access tokens are shared exclusively through secure secret management tools — never through email, chat messages, or other unencrypted channels. We use industry-standard tools for project management, code collaboration, and communication, all of which support encryption and access controls.

9.4. Code and Data Handling

Client source code is stored in private repositories with strict access controls and audit logging. Upon project completion or termination, all client data, code, and related materials are either transferred to the client or securely deleted from Our systems, in accordance with the terms of the service agreement. We do not retain, reuse, or repurpose client code or data for any purpose beyond the scope of the engagement.

9.5. Secrets Management

We use dedicated secrets management solutions to handle sensitive configuration data such as database credentials, API keys, encryption keys, and service tokens. Secrets are never hardcoded in source code, stored in version control, or transmitted in plain text. Access to secrets is restricted based on role and environment, and all access is logged for audit purposes.

10. Responsible Disclosure

We value the work of security researchers and the broader security community in helping Us maintain the security of Our systems and protect Our users. If You discover a security vulnerability in Our Website or any of Our systems, We encourage You to report it to Us responsibly.

10.1. How to Report a Vulnerability

Please report any security vulnerabilities by contacting Us at admin@happ.tools. When submitting a report, please include:

a detailed description of the vulnerability and its potential impact;
step-by-step instructions to reproduce the issue;
any supporting evidence, such as screenshots, logs, or proof-of-concept code;
Your contact information so We can follow up with You.

10.2. Our Commitment

When You report a vulnerability in good faith, We commit to:

acknowledging receipt of Your report within 3 (three) business days;
investigating the reported issue promptly and diligently;
keeping You informed of Our progress in addressing the vulnerability;
not taking legal action against researchers who report vulnerabilities responsibly and in good faith;
crediting You (if You wish) once the vulnerability has been resolved.

10.3. Responsible Disclosure Guidelines

We ask that security researchers:

do not publicly disclose the vulnerability before We have had a reasonable opportunity to address it;
do not access, modify, or delete data belonging to other users;
do not perform actions that could degrade the availability or performance of Our systems;
comply with all applicable laws and regulations during their research.

11. Contact Information

If You have any questions, concerns, or reports related to security, please contact Us using any of the following methods:

by email: admin@happ.tools,
by phone: +38 (099) 482 9573,
by Telegram: @slavasaloid,
or by using the contact form available on the Website.

For security-related matters, We will make every effort to respond as soon as possible. For vulnerability reports, We aim to acknowledge receipt within 3 (three) business days.

This Security Information page may be updated from time to time to reflect changes in Our security practices, infrastructure, or applicable regulations. We encourage You to review this page periodically.