Trust & Safety
Security at Harbor
Client records are among the most sensitive data that exists. Here is how we protect them.
Last updated: July 1, 2026
Compliance
HIPAA-compliant infrastructure
Designed to meet HIPAA Security Rule requirements. BAAs available to all subscribers.
Location
US data centers only
All data is stored and processed in the United States on Google Cloud Platform.
Encryption
Encrypted at rest and in transit
TLS 1.2 or higher for all connections. AES-256 encryption for data at rest.
AI isolation
Client data never enters AI systems
AI features are opt-in and architecturally separated from clinical records.
Infrastructure and hosting
Harbor runs on Google Cloud Platform (GCP), one of the most widely used enterprise cloud environments. GCP maintains its own comprehensive set of security certifications, including SOC 2 Type II, ISO 27001, and FedRAMP authorization.
All Harbor data is stored in US-based GCP data centers. We do not replicate data outside the United States. Our environment is logically isolated from other GCP tenants.
Encryption
All data transmitted between your browser (or app) and Harbor servers is encrypted using TLS 1.2 or higher. We do not support older, weaker protocol versions.
All data stored in our databases is encrypted at rest using AES-256. Backups are encrypted using the same standard. Encryption keys are managed by Google Cloud's Key Management Service and are not accessible to Harbor application code.
Access controls
Access to Harbor systems follows the principle of least privilege. Employees are granted access only to the systems and data required for their role, and that access is reviewed regularly.
Production database access requires multi-factor authentication and is restricted to a small number of senior engineers. All access is logged. We do not have standing access to client records; accessing a specific record for support or debugging purposes requires an explicit authorization step and leaves an audit trail.
- Multi-factor authentication required for all production system access.
- Role-based access controls limit what each team member can view or modify.
- All administrative actions are logged with timestamp, user, and action detail.
- Access is reviewed quarterly and revoked immediately on offboarding.
Audit logs
Harbor maintains audit logs of all significant actions within the platform, including logins, record creation and modification, exports, and configuration changes. Logs are immutable and retained for a minimum of 12 months.
Within your Harbor account, you can view a log of recent activity on your practice. If you need a full audit log for compliance purposes, contact contact@mainchar.ai.
AI data isolation
Harbor offers optional AI features such as session note drafting assistance. These features are off by default for every account.
When you opt into an AI feature, the content you submit for that specific interaction is processed by our AI pipeline. Client records are not bulk-ingested into any AI system. Records you have not explicitly submitted to an AI feature remain entirely outside the AI pipeline.
We do not use client data to train AI models, and we do not allow our AI infrastructure providers to use client data for model training. This is a firm constraint, not a default setting.
Vulnerability management
We conduct regular security reviews of our codebase and infrastructure. Dependencies are monitored for known vulnerabilities using automated tooling, and critical patches are applied promptly.
We perform periodic penetration testing by qualified third parties. Findings are triaged and remediated based on severity.
If you discover a security vulnerability in Harbor, we ask that you report it to us responsibly before disclosing it publicly. Contact us at contact@mainchar.ai with details. We will acknowledge your report within two business days and keep you informed as we investigate and resolve the issue.
Incident response
In the event of a confirmed security incident affecting your data, we will notify affected subscribers promptly and no later than the timeframe required by applicable law and our Business Associate Agreements.
Our incident response process includes:
- Immediate containment to stop further unauthorized access.
- Forensic investigation to determine scope, cause, and affected data.
- Notification to affected subscribers with details of what was accessed and recommended actions.
- Regulatory notification as required under HIPAA's Breach Notification Rule.
- A post-incident review to identify and correct the root cause.
Backups and availability
Client records are backed up automatically on a daily basis. Backups are stored in a separate GCP region within the US, encrypted, and retained for 90 days. We test backup restoration periodically to confirm recoverability.
Harbor is designed for high availability. We target 99.9% monthly uptime. Planned maintenance windows are communicated in advance. In the event of an unplanned outage, we post status updates at the Harbor status page and notify subscribers by email for outages exceeding 30 minutes.
Questions and reports
For security questions, vulnerability disclosures, or to request a copy of our Business Associate Agreement, contact:
MainCharacter, Inc.
contact@mainchar.ai
We aim to respond to all security-related inquiries within two business days.