How Highbar keeps your data safe

A practical guide to our security, privacy, and data handling practices. Whether you're evaluating Highbar or already a customer, this page gives you clear answers to the most common security questions we get. No jargon, no fluff.

11

Snapshot

Here's the quick version for security reviewers and busy IT teams. The full details are below.

  • Data is hosted on Google Cloud Platform and Vercel with encryption at rest and in transit
  • We use a multi-database architecture. Authentication, attendee data, event content, and settings live in separate isolated databases.
  • Personal data processing is minimal. We store what's needed to run your event: email addresses for login, attendee profiles from your registration system, and optional user-generated content like bookmarks and messages.
  • We don't sell, enrich, or monetize attendee data. Your data belongs to you and your attendees.
  • Each event is isolated. Multi-tenant architecture means attendees from one event can never access another event's data.
  • No static credentials. We use Google's Workload Identity Federation, so there are no API keys or passwords floating around.

Frequently Aksed Questions

Where is data stored?

Data lives on Google Cloud Platform (Cloud SQL) and Vercel. GCP hosts attendee profiles, event content, and settings. Vercel hosts authentication. All databases use provider-level encryption at rest.

What personal data do you process?

We process email addresses (for login), attendee profile data provided by event organizers (name, company, title, bio), session bookmarks, push notification tokens, and optional messaging content. We don't collect payment information, government IDs, or sensitive personal categories.

How does authentication work?

Email-based one-time passcodes. A 6-digit code is generated, hashed, and sent via Postmark. Sessions are stored in the database with HTTPOnly, SameSite, and Secure cookie flags. No passwords to manage or reset.

How does authentication work?

Email-based one-time passcodes. A 6-digit code is generated, hashed, and sent via Postmark. Sessions are stored in the database with HTTPOnly, SameSite, and Secure cookie flags. No passwords to manage or reset.

How is event data isolated?

Each event operates under its own subdomain. Authentication is scoped by event, preventing cross-event access. Every database query is filtered by event. Attendees of Event A cannot see or access anything from Event B.

Do you use AI? What data does it see?

Yes. The AI Copilot (powered by Google Gemini) helps attendees navigate sessions, speakers, and sponsors. It receives the user's question and event-specific content. It does not receive attendee personal data beyond the current query. Content safety filtering is applied to networking features.

Do you sell or share attendee data?

No. Never. We don't sell, enrich, profile, or monetize attendee data. Data is processed solely to deliver the event experience to attendees and reporting to you.

Do you have a SOC 2 certification?

We don't hold an independent SOC 2 or ISO 27001 certification for Highbar itself. Our infrastructure providers do: Google Cloud Platform is SOC 2 Type II, ISO 27001, and GDPR compliant. Vercel is SOC 2 compliant. As we scale, independent certification is on our roadmap.

What happens if something goes wrong?

We follow standard incident response practices. If there's a data breach, affected organizers and attendees are notified within timeframes required by law. Database backups are managed by Google Cloud and Vercel.

Infrastructure & data centers

Google Cloud Platform

Our primary infrastructure for databases, AI, and file storage. GCP handles the heavy lifting for attendee data, event content, and the AI Copilot.

  • Cloud SQL, Vertex AI, Cloud Storage
  • SOC 2 Type II, ISO 27001, GDPR compliant
  • Keyless authentication via Workload Identity Federation
  • Automatic SSL certificate rotation

Vercel

Our application and authentication layer. Vercel hosts the app itself, manages auth sessions, and delivers the experience globally via their edge network.

  • Application hosting, database, KV cache, analytics
  • SOC 2 compliant
  • Global edge network for low-latency delivery

Sub Processors

These are the third-party services that process data on our behalf to deliver Highbar. We vet each provider for security practices and limit data sharing to what's required for their specific function.

Provider
Purpose
Data Processed
Google Cloud Platform

Database hosting, AI services, file storage

Attendee profiles, event content, AI queries

Vercel

Application hosting, auth, cache

Session tokens, auth data, analytics

Stream Chat

Real-time attendee messaging

User IDs, messages

Firebase

Push notifications

Device tokens, notification content

Postmark

Email delivery (OTP codes)

Email addresses

Google Vertex AI

AI Copilot

User queries, event context

Database security

Our database infrastructure uses multiple layers of protection:

  • Multi-database isolation: Four separate databases with distinct credentials
  • Encrypted connections: TLS/SSL on all database connections with automatic certificate rotation
  • Keyless authentication: No static database passwords in production
  • Encryption at rest: Managed by Google Cloud SQL and Vercel
  • Automated backups: Managed by cloud providers

Need a DPA or NDA?

Most teams don't need extra paperwork to use Highbar. But if your organization has vendor vetting or procurement requirements, we're happy to provide a Data Processing Agreement (DPA) or Mutual NDA. Just reach out.

Still have questions?

Email us or start a chat on the website. We respond quickly and are happy to help your legal or security team get what they need.

Ready to launch your AI-powered event app?

Highbar is in private beta, but we’re onboarding new events now. Launch in under a week—book a demo today.
Schedule a DemoSchedule a DemoCreate Your Event App
Highbar
Product
Resources
Highbar
Contact us
© Highbar AI, Inc. 2026
Terms of Service
Privacy Policy