Security at Harbour

🔒 Harbour utilizes enterprise-grade best practices to protect our customers’ data, and works with independent experts to verify its security, privacy, and compliance controls, and has achieved SOC 2 Type II report against stringent standards. Through an integration with Drata, we continually monitor hundreds of controls to maintain our security and GDPR compliance.

SOC 2 Report

We work with an independent auditor to maintain a SOC 2 report, which objectively certifies our controls to ensure the continuous security of our customers' data.

Developed by the Assurance Services Executive Committee (ASEC) of the AICPA, the Trust Services Criteria is the set of control criteria to be used when evaluating the suitability of the design and operating effectiveness of controls relevant to the security, availability, or processing integrity of information and systems, or the confidentiality or privacy of the information processed by the systems at an entity, a division, or an operating unit of an entity.

Continuous Control Monitoring

Harbour uses Drata’s automation platform to continuously monitor 100+ security and privacy controls across the organization including GDPR compliance. Automated alerts and evidence collection allows Harbour to confidently prove its security and compliance posture any day of the year, while fostering a security-first mindset and culture of compliance across the organization.

Employee Access & Trainings

Security is a company-wide endeavor. All employees are required to use 2-factor authentication for data access, are restricted to only appropriate access levels, and have signed a Non-Disclosure and Confidentiality Agreement when joining the company. In addition, Harbour employees complete an annual security training program and employ best practices when handling customer data.

Penetration Tests

Harbour works with industry leading security firms to perform annual network and application layer penetration tests.

Secure Software Development

Harbour utilizes a variety of manual and automatic data security and vulnerability checks throughout the software development lifecycle.

Data Encryption

Data is encrypted both in-transit using Transport Layer Security (TLS details) and at rest with AES256 (details).


All of our infrastructure and services run in the cloud. We do not run any routers, load balancers, DNS servers, or physical servers. We extensively use the Google Cloud Platform (GCP) and have no physical infrastructure. Our production data storage systems are Google Spanner and Google Cloud Storage (modelled on Gmail tech stack). GCP provides strong security measures, compliance, and auditing across these systems.

Multi-region data storage and automated backups

All of our cloud data is multi-region (within the United States) to avoid any impact from power outages or natural disasters. All our data is also automatically and regularly backed up and replicated across multiple US data center locations.

Harbour Tech Stack

We heavily utilize Google App Engine Standard (Python 3) with Google Spanner and Google Cloud Storage

Click here for the full details.

Identity and Authentication

We leverage enterprise Single Sign-on (SSO) for fully-secured user authentication and identity management (via Google Cloud Identity/oauth2). We do not store user passwords and all organizations and user records are always verified against their pre-existing Google or Microsoft corporate account credentials. With an organization's corporate account settings, we can support 2-factor authentication for recommended, added security as well. Additionally, role-based access controls (RBAC) is available for enterprise accounts.

Compliance, Audit Logs, and Monitoring

We directly monitor and use third-party monitoring software for detecting potential attacks or anomalous network behavior. Every user action in the system is logged and fully auditable (details). Our GCP systems are also regularly audited for ongoing security and compliance (e.g., SOC 2). View the full details and reports here.

Data Retention and Removal

Customers may request to have their data deleted at any time by filling out a support ticket. Please allow two business weeks to process your request.

Terms of Service and Privacy Policy

Check out our dedicated Terms of Service and Privacy Policy pages.

Vulnerability Disclosure Program

If you believe you’ve discovered a bug in Harbour’s security, please let us know by filling out this report and getting in touch at Our security team promptly investigates all reported issues.