Legal company name

Healing Sun Haven LLC

Trade name / DBA

Ruhavyn

Headquarters location

United States

Year founded

2024

Primary security contact

info@healingsunhaven.com

Company website

https://ruhavyn.com

Service description

Enterprise wellness platform with AI therapy, meditation, mood tracking, and video content

2.1.1

How are user passwords stored?

Hashed using bcrypt via enterprise-grade authentication infrastructure. Never stored in plaintext.

2.1.2

Do you support Single Sign-On (SSO)?

Yes. SAML 2.0 and OIDC (Advanced Care/Complete Care tiers).

2.1.3

Do you support Multi-Factor Authentication?

Yes, via SSO provider integration. Native MFA via authentication service.

2.1.4

How are sessions managed?

JWT tokens with configurable expiration. Tokens validated on every request.

2.1.5

What access control model do you use?

Role-Based Access Control (RBAC): Admin, Member, Service roles.

2.1.6

How is admin access restricted?

Company-scoped isolation. Admins can only access their organization's data.

2.1.7

Can admins access user passwords?

No. Passwords are hashed and inaccessible to any administrator.

2.1.8

Can admins read user diary entries?

No. Diary entries are protected by RLS — only the user can access.

2.2.1

What encryption is used for data at rest?

AES-256 via enterprise-grade cloud infrastructure.

2.2.2

What encryption is used for data in transit?

TLS 1.3 for all connections.

2.2.3

Are backups encrypted?

Yes. AES-256 encryption on all backups.

2.2.4

How are API keys stored?

Hashed with SHA-256. Plaintext never stored. Only key prefix visible.

2.2.5

How do you isolate customer data?

Row Level Security (RLS) on all 37 database tables with company_id filtering.

2.2.6

Is there cross-tenant data access possible?

No. RLS policies cryptographically isolate all company data.

2.2.7

Do you encrypt user email addresses?

Yes. Military-grade AES-256 field-level encryption on all user emails (101/101 protected).

2.3.1

How do you prevent SQL injection?

Parameterized queries via secure database SDK. All 48 database functions hardened with SET search_path = public.

2.3.2

How do you prevent XSS attacks?

React's built-in escaping. Input sanitization on all user content.

2.3.3

How do you prevent CSRF attacks?

JWT-based auth with SameSite cookie policies.

2.3.4

Do you have input validation?

Yes. Client and server-side validation using Zod schemas.

2.3.5

How many RLS policies are implemented?

80 Row Level Security policies across all tables.

2.3.6

How many database functions are secured?

48 functions with hardened search_path settings.

3.1.1

Where is the application hosted?

Enterprise-grade cloud infrastructure (backend and frontend).

3.1.2

Where is data stored geographically?

United States (primary). EU hosting available upon request.

3.1.3

What cloud provider is used?

SOC 2 Type II and ISO 27001 certified cloud infrastructure.

3.1.4

Is this a multi-tenant architecture?

Yes, with strict data isolation via RLS.

3.1.5

Where is SSO infrastructure hosted?

Self-hosted on SOC 2 Type II certified infrastructure.

3.2.1

Is a WAF deployed?

Yes, via enterprise cloud infrastructure.

3.2.2

Is DDoS protection in place?

Yes, via enterprise cloud infrastructure with automatic mitigation.

3.2.3

Are all connections encrypted?

Yes. TLS 1.3 required for all connections. HTTPS only.

3.2.4

Is there network segmentation?

Yes. Database, API, and frontend are isolated.

3.3.1

What is your uptime SLA?

99.9% uptime SLA. Current performance: 99.95%.

3.3.2

What is your Recovery Time Objective (RTO)?

4 hours.

3.3.3

What is your Recovery Point Objective (RPO)?

1 hour.

3.3.4

How often are backups performed?

Daily automated backups with 7-day Point-in-Time Recovery.

3.3.5

Do you have a disaster recovery plan?

Yes. Documented DR plan with regular testing.

3.3.6

Do you have a business continuity plan?

Yes. Multi-region failover capability.

3.4.1

Where are physical servers located?

N/A — cloud-native architecture. No on-premises infrastructure.

3.4.2

What physical security controls are in place?

Physical security managed by SOC 2 Type II certified cloud providers. Refer to infrastructure provider SOC 2 reports for physical security controls.

3.4.3

Do employees have physical access to data?

No. All data access is through authenticated, audited API connections.

4.1

Are you SOC 2 certified?

SOC 2-ready infrastructure via certified providers (SOC 2 Type II). Formal Ruhavyn certification planned Q2 2026.

4.2

Are you ISO 27001 certified?

Aligned practices via ISO 27001 certified infrastructure.

4.3

Are you GDPR compliant?

Yes. Full GDPR compliance with data export, deletion, and EU hosting options.

4.4

Are you CCPA compliant?

Yes. Privacy controls and data rights implemented.

4.5

Are you HIPAA compliant?

HIPAA-ready infrastructure. BAA available upon request.

4.6

Are you PCI DSS compliant?

Via PCI DSS Level 1 certified payment processor. No card data stored in Ruhavyn systems.

4.7

Do you have a DPA available?

Yes. GDPR-compliant Data Processing Addendum available.

4.8

Can you complete custom security questionnaires?

Yes. Contact info@healingsunhaven.com.

5.1.1

What personal data do you collect?

Email, display name, mood entries, diary entries (optional), usage analytics.

5.1.2

Do you collect sensitive health data?

Mood self-reports and wellness reflections. No medical records or diagnoses.

5.1.3

Do you collect payment information?

No. Payment processed entirely by PCI DSS Level 1 certified payment provider.

5.1.4

How long is data retained?

User data: duration of account + 30 days. Audit logs: 90 days.

5.1.5

Can users export their data?

Yes. Full data export in JSON format via Settings.

5.1.6

Can users delete their data?

Yes. Account deletion with complete data purge within 30 days.

5.2.1

Do you sell personal data?

No. Never.

5.2.2

Do you share data with third parties?

Only with carefully vetted sub-processors necessary for service provision (database infrastructure, payment processing, AI services). All sub-processors maintain SOC 2 Type II certification.

5.2.3

Can employers see employee diary entries?

No. Diary entries protected by RLS — only the user can access.

5.2.4

What analytics do employers see?

Anonymized, aggregated data only. Minimum 10 users for any metric.

6.1

What roles are available?

Admin (company-scoped), Member (standard user), Service (API access).

6.2

How are admin privileges restricted?

Admins only see their company's data via RLS policies. Cannot access other companies.

6.3

Is there privileged access management?

Yes. Admin actions logged with IP, timestamp, and metadata.

6.4

How is user provisioning handled?

Manual via admin dashboard, bulk CSV import, or SCIM (Complete Care).

6.5

How is user deprovisioning handled?

Admin disables user → immediate access revocation → sessions invalidated.

6.6

Is there separation of duties?

Yes. Admin and Member roles with different permissions, enforced at database level.

7.1

Do you maintain audit logs?

Yes. Comprehensive audit logging of all admin and security events.

7.2

How long are logs retained?

90 days (configurable for enterprise).

7.3

Are logs tamper-proof?

Yes. Append-only storage with integrity protection.

7.4

Can customers export audit logs?

Yes. CSV and JSON export (Advanced Care/Complete Care tiers).

7.5

Do you have real-time monitoring?

Yes. Automated monitoring with alerts for security events.

7.6

What events are logged?

Auth events, admin actions, API calls, failed logins, data access patterns.

7.7

Is there intrusion detection?

Yes. Anomaly detection on auth patterns and API usage.

8.1

Do you have an incident response plan?

Yes. Documented 6-step process: Detection → Triage → Containment → Resolution → Notification → Post-mortem.

8.2

What is your incident response time?

Critical: 4-hour containment. Standard: 24-hour response.

8.3

How do you notify customers of breaches?

Within 48 hours for critical incidents. Within 72 hours for GDPR compliance.

8.4

Have you experienced a data breach?

No. Ruhavyn has not experienced any data breaches.

8.5

Do you perform penetration testing?

Internal security reviews completed. Third-party pentest planned Q2 2026.

8.6

Do you have a bug bounty program?

Planned Q3 2026 post-launch.

Database & Authentication

Secure data storage, user authentication, RLS policies

SOC 2 Type II, ISO 27001, HIPAA-ready

Payment Processing

Subscription billing, payment security

PCI DSS Level 1, SOC 2 Type II

AI Infrastructure

Therapeutic AI features, natural language processing

SOC 2 Type II, enterprise-grade privacy

Frontend Hosting

Web application delivery, CDN

SOC 2 Type II, enterprise SLA

Enterprise SSO

Single Sign-On for corporate clients

Self-hosted, SOC 2 certified infrastructure

9.2.1

How do you assess vendor security?

Security questionnaire, SOC 2 reports, contractual requirements.

9.2.2

Are all vendors SOC 2 certified?

Yes. All primary vendors maintain SOC 2 Type II.

9.2.3

How is data shared with AI providers?

Non-sensitive data only (preferred names, general queries). No PHI/PII.

9.2.4

Is user data used to train AI models?

No. Contractually prohibited with all AI providers.

9.2.5

How are vendor changes communicated?

30-day notice for sub-processor changes per DPA.

10.1

Do you provide API access?

Yes. REST API available (Advanced Care/Complete Care tiers).

10.2

How are API keys secured?

SHA-256 hashed. Only prefix visible. Revocable anytime.

10.3

Is there API rate limiting?

Yes. Tier-based: 1,000/month (Advanced Care), 10,000/month (Complete Care).

10.4

Do you support webhooks?

Yes. HTTPS-only with HMAC-SHA256 signatures.

10.5

Is there API documentation?

Yes. OpenAPI specification available to customers.

10.6

How are API keys rotated?

Self-service rotation via admin dashboard. Recommended quarterly.

11.1

Is there a privacy policy?

Yes. Full details are available in the Trust Center at www.healingsunhaven.com.

11.2

Is there a DPA available?

Yes. GDPR-compliant DPA available for download.

11.3

Where is data processed?

United States (primary). EU hosting available.

11.4

How are international transfers handled?

Standard Contractual Clauses (SCCs) for EU transfers.

11.5

Can data residency requirements be met?

Yes. EU hosting available as add-on.

11.6

Do you support data subject requests?

Yes. Export, deletion, and rectification supported.

12.1

Do you have security training for employees?

Yes. Annual security awareness training required.

12.2

Do you perform background checks?

Yes, for all employees with access to customer data or systems.

12.3

Is there a secure development lifecycle?

Yes. Security review required for all code changes.

12.4

Do you use static code analysis?

Yes. Automated scanning in CI/CD pipeline.

12.5

How often are security reviews conducted?

Quarterly internal reviews. Annual third-party assessment (planned).

13.1.1

Do you carry cyber liability insurance?

Yes. Cyber liability insurance is maintained to cover data breach and incident costs.

13.1.2

Do you carry Errors & Omissions (E&O)?

Yes. E&O insurance is maintained as part of our commercial insurance program.

13.1.3

Can you provide proof of insurance?

Yes, upon request for enterprise contracts. Contact info@healingsunhaven.com.

13.2.1

What is your code review process?

All code changes require peer review before merging. Security-sensitive changes require additional security team review.

13.2.2

What is your deployment pipeline?

Git-based version control → automated CI/CD → staging environment → production deployment with rollback capability.

13.2.3

How are secrets managed in development?

Secrets stored in environment variables and secure vault. Never committed to source code.

13.2.4

Do you perform dependency vulnerability scanning?

Yes. Automated dependency scanning for known vulnerabilities in CI/CD pipeline.

SOC 2 Readiness Report

Detailed compliance documentation with 5-layer security architecture

Security Summary

One-page executive overview

Security FAQ

Common B2B security questions

Privacy & Security Policy

Comprehensive data protection policy

Data Processing Addendum

GDPR DPA template

Accessibility Statement

WCAG 2.1 AA compliance

Admin FAQ

Administrator documentation

User FAQ

End-user documentation