Security Policy

This Security Policy describes how Henric Sweden AB ("Henric," "we," or "us") protects your data when you use our platform at app.henricai.com, our website at henricai.com, and any related services (together, the "Services").

This Security Policy is part of your Agreement with Henric. Any capitalized terms used but not defined here have the meaning set forth in the applicable Subscriber Agreement. The computing services used to deliver the Henric Platform are cloud-based and hosted within the EU/EEA ("Cloud Environment").

Security overview

Henric is a Swedish company operating within the EU. We are committed to maintaining a high level of security for all data processed through our Services. As a company handling property management data, we understand the sensitivity of the information entrusted to us.

Current security measures

• Currently in the ISO/IEC 27001:2022 certification audit for our Information Security Management System (ISMS).
• Full compliance with the General Data Protection Regulation (GDPR) and Swedish data protection law (Dataskyddslagen).
• All data hosted within the EU/EEA.
• Encryption of all data in transit and at rest.
• Secure authentication for all users.
• Zero-training-data agreement with our AI provider (Anthropic).
• Data Processing Agreements (DPAs) with all sub-processors.

Certifications

Henric is currently in the ISO/IEC 27001:2022 certification audit for its Information Security Management System. Our cloud infrastructure providers maintain ISO 27001 certifications.

Data hosting and residency

2.1 Location

All Customer Data is hosted within the European Union. Our primary infrastructure is hosted in the EU/EEA region (Frankfurt, Germany). Customer Data never leaves the EU/EEA unless explicitly required and agreed upon with appropriate safeguards in place.

2.2 Sub-processors

Any Customer Data processed by Henric's sub-processors is restricted to the EU/EEA or is subject to appropriate GDPR transfer mechanisms, including Standard Contractual Clauses (SCCs) where required.

2.3 AI processing

Content processed through our AI features is sent to Anthropic's API. Anthropic processes this data within the EU/EEA under our Data Processing Agreement. Content is processed in real-time and is not retained by Anthropic beyond the immediate API request.

Encryption

3.1 Data at rest

All Customer Data stored by Henric is encrypted at rest using AES-256 encryption or equivalent.

3.2 Data in transit

All data transmitted between your device and our Services is encrypted using TLS 1.2 or higher. All connections to the Henric platform require HTTPS. We do not support unencrypted HTTP access.

3.3 API communications

All communications between Henric and our AI provider (Anthropic) are encrypted using TLS 1.2 or higher. API keys and credentials are stored securely and never exposed in client-side code.

Access controls

4.1 Internal access

Access to our Cloud Environment by Henric personnel requires a unique user ID, multi-factor authentication (MFA), and strong passwords meeting minimum length and complexity requirements. Access is granted on a least-privilege basis — personnel only have access to the systems and data necessary for their role.

4.2 Customer Data access

Henric personnel will not access Customer Data except: (i) as necessary to provide or support the Services, (ii) to investigate and resolve technical issues reported by you, or (iii) as required by law or a binding order of a governmental body. All access to Customer Data is logged.

4.3 Confidentiality

All Henric personnel are required to sign confidentiality agreements and acknowledge their responsibility for reporting security incidents involving Customer Data.

4.4 User authentication

Users access the Henric platform through secure authentication. Passwords are stored using industry-standard hashing algorithms and are never stored in plaintext. We support and encourage the use of strong, unique passwords.

AI processing security

5.1 AI provider

Henric uses Anthropic (Claude) as our AI provider. We maintain a Data Processing Agreement with Anthropic that ensures all processing is GDPR-compliant and occurs within the EU/EEA.

5.2 Zero training guarantee

Your data is never used to train AI models. Customer Data processed through our AI features is not used by Henric or Anthropic to train, fine-tune, or improve any AI model. This is contractually guaranteed in our agreement with Anthropic.

5.3 Data retention by AI provider

Anthropic operates with a zero-retention policy for API requests. Prompts and outputs are not stored by Anthropic beyond the immediate processing session. Content is processed in real-time and discarded after the response is delivered.

5.4 Content flow

When you use Henric's AI features, the following occurs:

• You upload a document or submit a query in Henric.
• Henric transmits the relevant Content to Anthropic's API over an encrypted connection.
• Anthropic processes the request and returns a response.
• Anthropic discards the Content — no data is retained.
• Henric stores your Content on EU-hosted servers as part of your workspace, subject to the applicable Subscriber Agreement.

Connected services security

Henric integrates with third-party services to provide document access. We apply the following security principles to all integrations:

6.1 Google Drive

When you connect your Google Drive, Henric uses OAuth 2.0 for authentication and only accesses files you explicitly select. We do not access, scan, or index your entire Drive. Access tokens are stored securely and can be revoked at any time.

6.2 Microsoft SharePoint

When you connect your SharePoint environment, Henric uses Microsoft's OAuth 2.0 authentication and only accesses files you explicitly select. We do not access your entire SharePoint environment. Access tokens are stored securely and can be revoked at any time.

6.3 Document uploads

Documents uploaded directly to Henric are transmitted over encrypted connections (TLS 1.2+) and stored encrypted at rest (AES-256) on EU-hosted servers. Uploaded documents are only accessible to authorized users within your organization's workspace.

Infrastructure security

7.1 Cloud providers

Our Cloud Environment is maintained by established cloud service providers who maintain ISO 27001 certifications. We verify our providers' certifications on an ongoing basis.

7.2 Network security

We implement network-level security controls including firewalls, intrusion detection, and monitoring of our Cloud Environment. We conduct regular vulnerability assessments.

7.3 Physical security

Henric does not store or process Customer Data at any physical office location. All Customer Data is stored and processed exclusively in our Cloud Environment.

Data isolation and multi-tenancy

Henric operates a multi-tenant platform where each Subscriber's data is logically isolated from other Subscribers' data. This means:

• Each organization's workspace is isolated — users in one organization cannot access data from another organization.
• AI queries are processed in isolation — one organization's Content is never included in another organization's AI prompts.
• Administrative access is scoped per organization.

Incident detection and response

9.1 Notification

If Henric becomes aware of a breach of security leading to the destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data (a "Security Incident"), Henric will notify you without undue delay and in no case later than 36 hours after becoming aware of the incident. Notification will be sent to the security contact email address specified in your Subscriber Agreement.

9.2 Response

Upon discovery of a Security Incident, Henric will promptly take reasonable steps to contain, investigate, and mitigate the incident. All security-relevant logs will be preserved for at least one year.

9.3 Communication

In the event of a Security Incident, Henric will provide you with:

• A description of the nature and scope of the incident.
• The likely consequences of the incident.
• The measures taken and/or proposed to contain and mitigate the incident.
• The status of the investigation.
• A designated contact point for further information.

Business continuity and backups

10.1 Backups

Customer Data is backed up regularly. Backups are encrypted and stored in geographically separate locations within the EU/EEA.

10.2 Availability

We strive to maintain high availability of our Services. In the event of an outage, we will communicate status updates through our designated channels.

Customer responsibilities

11.1 Authorization

You are responsible for ensuring that you are authorized to use any documents, data, or other Content with the Services, and that your usage complies with all applicable legal and regulatory requirements.

11.2 Credentials

You are responsible for managing and protecting your credentials. User credentials must be kept confidential and must not be shared with unauthorized parties. You must promptly report any suspicious activities related to your account, including suspected credential compromise, to security@henricai.com.

11.3 Systems

You are responsible for keeping your systems (browsers, operating systems, and other software used to access the Services) up to date and appropriately patched.

11.4 Content

You are responsible for ensuring that any documents or data you upload to Henric do not contain information that you are not authorized to process or share with a third-party service provider.

Sub-processors

Henric uses the following categories of sub-processors to deliver our Services:

• Cloud infrastructure: EU-hosted cloud providers for hosting and storage.
• AI processing: Anthropic (Claude) for AI-powered features, processed within the EU/EEA.
• Authentication: Secure authentication services.

A complete and up-to-date list of sub-processors is available on our Sub-processors page. We will notify Subscribers of any changes to our sub-processor list in accordance with the applicable Data Processing Agreement.

Changes to this Security Policy

We may update this Security Policy from time to time to reflect changes in our security practices, technologies, or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page and notify Subscribers through our Services or by email.

Contact