Security & Trust

How HUT handles trust, account protection, and launch operations

HUT is built for real estate operators who need to trust the data surface, billing flow, and account controls before they put real work through the product. This page summarizes the security and operational posture that is already visible in the product today.

Account protection

  • Sign-in and signup flows are protected with CSRF controls, Turnstile CAPTCHA, and rate limiting.
  • Two-factor authentication and active-session review are exposed from account settings for supported accounts.
  • Session cookies are signed and HttpOnly, and deployments can use server-side session storage when Redis is configured.
  • Password reset and email verification are first-class flows, not manual support workarounds.

Billing and payments

  • Customer card handling is delegated to hosted billing providers rather than stored directly by HUT.
  • The billing portal surfaces plan changes, payment-method updates, invoices, and cancellation at period end.
  • Pricing, plan differences, trial timing, and cancellation behavior are explained on the public pricing page.
  • Privacy and terms pages are published and linked from all public conversion surfaces.

Monitoring and recovery

  • Error tracking and health endpoints are part of the application stack before launch, not after.
  • Backup, restore, rollback, and incident-response procedures are documented in the launch operations runbook.
  • Launch readiness is treated as an operational discipline with a critical-path test pass, owner assignments, and rollback rules.
  • Security disclosures can use the published security.txt contact path.

Data and privacy

  • HUT aggregates public-record and licensed data sources, and the product warns users to independently verify critical legal or financial decisions.
  • Privacy disclosures explain what account, billing, and security metadata is collected and why.
  • Public trust cues include privacy, terms, help center access, security.txt, and a documented support path.
  • Feature and plan claims are aligned to the live product surfaces rather than placeholder marketing copy.

Compliance posture & certifications

HUT is a young product, and we are honest about where we are. The list below is the live status of each certification or audit — no theater, no aspirational badges.

SOC 2 Type 1 In progress

Auditor engagement targeted for 2026. Controls (access review, change management, vendor risk, incident response) are documented and exercised today; formal attestation pending audit.

SOC 2 Type 2 Roadmap

Type 2 follows the Type 1 attestation by the standard 6–12 month observation window. Target attestation: Q4 2026. Brokerage customers can request a current security questionnaire response in the meantime at security@huthut.app.

Stripe-hosted payments (PCI scope) Live

All card data is handled by Stripe Checkout / Billing. HUT never stores PANs, CVCs, or full card numbers. PCI scope is delegated to Stripe.

TLS 1.2+ everywhere Live

All HUT traffic (web and API) requires TLS 1.2 or higher. HSTS is enabled; legacy cipher suites are disabled at the edge.

GDPR / CCPA disclosures Live

Privacy policy describes data we collect, why, and how to request export or deletion. Send requests to privacy@huthut.app.

Compliance audit log (Broker) Live

Broker Enterprise tier captures team activity (sign-in, document access, approval decisions) to a tamper-evident audit log exportable on request.

Need our current security questionnaire (CAIQ-Lite, vendor security review)? Email security@huthut.app with your firm’s template.

Reference links

Privacy Policy Terms of Service Help Center security.txt Report a security issue
') }}