Security at Hemma starts with collecting less, sharing narrowly, and building on trusted foundations. We aim to protect personal information from misuse, loss and unauthorised access, in line with our obligations under the Privacy Act 1988 (Cth) and the Australian Privacy Principles. This page explains the main controls we rely on.
Hemma is built on established cloud infrastructure rather than servers we run ourselves. Our database, authentication and file storage are provided by Supabase, and our application is hosted on Vercel. These providers operate hardened data centres with their own physical and network security. Some infrastructure may be located outside Australia; see our Privacy Policy for what that means for your data.
Signing in is handled by a dedicated authentication system that issues short-lived, signed access tokens. Every request to Hemma’s servers is verified before any data is returned. Within Hemma, what you can see and do is governed by your role — resident, committee or building manager — so people only get the access they need.
Hemma is multi-tenant: many buildings share the same service. Our access controls are designed so that members of one building cannot see another building’s announcements, directory or content. These checks are enforced on our servers on every request, not just hidden in the interface.
Our database infrastructure provides automated backups so we can recover data in the event of a failure. We rely on the resilience and redundancy of our cloud providers to keep the service available.
If you believe you’ve found a security issue in Hemma, we’d genuinely like to hear from you. Please email security@myhemma.app with enough detail to reproduce the issue, and give us a reasonable opportunity to fix it before disclosing it publicly.
We ask that you don’t access, modify or delete other people’s data, don’t degrade the service, and act in good faith. If you do, we’ll treat your research as authorised, won’t pursue action against you for it, and will work with you on a fix.
We have processes to detect, investigate and respond to security incidents. If a data breach occurs that is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner as required by the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth).
Security is shared. Please use a strong, unique password, keep your login details private, sign out on shared devices, and let us know straight away if something looks wrong with your account. Building managers should only invite people who are entitled to access, and remove people who move out.
Hemma is an early-stage product being rolled out building by building. We’ve built on solid foundations and follow sensible practices, but we don’t yet hold formal certifications such as ISO 27001 or SOC 2. We’d rather be straight with you about that than imply otherwise — and we’ll keep strengthening our security as Hemma grows.
Security questions or reports: security@myhemma.app. For anything else, hello@myhemma.app.