Security and Data Protection

All access to the Client portal and Studio workspace is gated by the shared Henry Onyx account system. We support strong passwords and time-based one-time-password (TOTP) two-factor authentication. We log every successful and failed sign-in.

Database access is controlled by row-level security (RLS) policies. A client can only see and act on records that match their user identity or verified email. Studio staff have access scoped by role membership: client_success, project_manager, developer_designer, finance, sales_consultation, or studio_owner.

Every page and API call uses TLS 1.2 or higher. At rest, the database is encrypted by the underlying provider. Backups are encrypted with AES-256.

Brand assets, payment proof, and deliverables are stored under restricted access. Direct URLs are signed and short-lived where possible. We do not embed sensitive media in public folders.

Payment proof is uploaded over TLS, scanned for the expected file type (PNG, JPG, WEBP, PDF), and capped at 10 MB. The reference number is checked against existing rows to prevent accidental duplicate submissions. Verification is a finance-only action — clients cannot mark their own payment as verified.

We run daily encrypted backups. Recovery point objective is 24 hours; recovery time objective for core records is 4 hours.

Studio staff sign in through the shared Henry Onyx account with the same authentication safeguards as clients. Access is scoped through role memberships; we audit role membership monthly.

Subprocessors are listed in the Privacy Policy and reviewed annually. We rotate secrets at least every ninety (90) days and on personnel transitions.

If you find a security issue, email security@henryonyx.com. We acknowledge within two (2) working days and aim to remediate critical issues within seven (7) days. We do not pursue legal action against good-faith researchers who follow responsible-disclosure norms.