M4HStart

Security

Security at M4H.

Your data protection is our priority.

Authentication & access control

  • OAuth 2.0 for every third-party integration. M4H never sees or stores your passwords.
  • Supabase Auth handles user accounts with bcrypt-hashed credentials and refresh-token rotation.
  • Row Level Security policies on every database table mean users can only read and write rows they own.
  • Sessions use short-lived signed JWTs and refresh on each request.

Data protection

  • All traffic between you and M4H is encrypted with TLS 1.2+ over HTTPS.
  • OAuth tokens are stored in PostgreSQL with RLS isolation and encrypted at rest by the database.
  • No permanent storage of third-party data — emails, calendar events, ad metrics, and Drive files are fetched on demand and discarded after the agent acts on them.
  • When you disconnect a service, the corresponding tokens are deleted immediately, not on a schedule.

AI safety

  • Human-in-the-loop for all destructive or irreversible actions. Sending an email, modifying a campaign budget, signing a contract — every one routes through your approval queue.
  • Agents declare their intent before acting so you can see exactly what they’re about to do.
  • Full audit trail of every agent action, including the tool called, the input, and the result.
  • No AI training on user data. Conversations are processed by Anthropic under enterprise terms that explicitly prohibit retention for training.

Infrastructure

  • Web application hosted on Vercel (SOC 2 Type II compliant).
  • Database and authentication on Supabase (SOC 2 Type II compliant), running PostgreSQL in U.S. data centers.
  • AI processing via Anthropic’s Claude API (SOC 2 Type II compliant) under enterprise data terms.
  • Production access requires two-factor authentication and is restricted to a small set of named engineers.

Google API compliance

  • Adherence to the Google API Services User Data Policy, including Limited Use requirements.
  • Google API data is only used to provide and improve user-facing features of M4H.
  • No transfer of Google API data to third parties except as necessary to provide the service or as required by law.
  • No use of Google API data for advertising purposes, ever.
  • No human reads Google API data without your affirmative agreement, except for security investigations or as required by law.

Reporting a vulnerability

  • If you discover a security issue, please email security@bookitlabz.com with details. We aim to acknowledge reports within one business day and triage within three.
  • Please do not test against production data belonging to other users. Set up your own test account first.
  • We do not currently run a paid bug bounty program but we publicly thank everyone who reports valid issues.

Have a question for the security team?

We're happy to walk through our practices in more detail.

Contact us