Last Updated: May 29, 2025

INTRODUCTION

Security is integral to HomeTree Digital’s core principles of Control, Consent, and Collaboration and so we take it seriously. This Security Practices page describes the organizational, technical, and physical controls applicable to HomeTree Digital, including our Services, as more specifically described in your governing agreement with HomeTree Digital. 

These policies and practices may change as the Services and industry evolve, so please check back regularly for updates. Capitalized terms used below but not defined in this policy have the meaning set forth in the governing agreement. 

HOMETREE DIGITAL PLATFORM CONTROLS

Architecture and Data Segregation 

HomeTree Digital operates a multi-tenant software-as-a-service system, using a shared infrastructure for all users. We have implemented measures designed to ensure the logical separation of Customer Data, as more specifically defined in your governing agreement with HomeTree Digital covering the use of the Services. These measures include the use of access lists and association of Customer Data with unique customer IDs. 

Public Cloud Infrastructure 

HomeTree Digital utilizes Amazon Web Services (AWS) for its public cloud infrastructure. The services provided by AWS include web hosting, user management, backend API, computer, database, monitoring, and automation. HomeTree Digital does not use a private or hybrid cloud. 

Audits 

HomeTree Digital has a robust audit system in place designed to continuously monitor for vulnerabilities, instances of non-compliance, and misconfigurations. Auditing is performed by internal parties as well as respected and accredited external firms. 

SECURITY CONTROLS

HomeTree Digital has established a comprehensive security control framework aligned to our defined security policies, risk management program, and industry-leading best practices and standards. This rigorous approach is designed to safeguard the confidentiality, integrity, and availability of any Customer Data that is processed, transmitted, or stored by HomeTree Digital. 

The security controls that we have put in place encompass a wide range of measures, including: 

  • Access Management: HomeTree Digital uses a centralized system for managing identities, governing access to all key systems and physical access to sensitive office locations. Administrators and incident responders can use this to easily terminate and disable all authenticated sessions. All access is granted based on approved requests, and we conduct monthly reviews of access to any sensitive system. 
  • Company-wide multi-factor authentication: To protect HomeTree Digital staff identities, we employ industry leading security practices, such as requiring all staff members to use a FIDO2 compliant authentication factor, such as a physical security key or WebAuthn. 
  • Audit Logging: We meticulously log every access and action taken by HomeTree Digital staff, as well as all customer authentication-related events. This includes recording details such as the type of device used, IP addresses, and any registered abnormalities such as impossible travel. 
  • Host Management: We enforce stringent security requirements such as screen lockouts, full disk encryption, installed anti-malware and endpoint detection and response software, remote wiping & locking capabilities, and the use of up-to-date software. 
  • Network Protection: We implement multi-factor authentication (MFA) for access to our AWS environments, ensuring that only authorized personnel can manage production resources, including servers and databases. Our infrastructure is secured with network policies that restrict access to only what is necessary, following the principle of least privilege. Additionally, we enforce firewalls configured according to industry’s best practices and ensure that all communications occur over encrypted channels utilizing Transport Layer Security (TLS) 1.2 or higher to protect data in transit. 
  • Cloud Security Posture Management: We continuously monitor our cloud infrastructure for misconfigurations, as well as exposure, vulnerability, and patch management issues. 
  • Application Security: We have implemented a secure software development lifecycle policy. New features and significant changes undergo a threat modeling and review process. We also utilize continuous static code scanning and software composition analysis to detect and mitigate any potential vulnerabilities in our applications as early as possible. 
  • Change Management: All application code changes go through our change management process, which is designed to track changes in the system to help ensure that modifications are necessary, safe, and improve the system’s functioning. Further, code changes are peer reviewed prior to being deployed to production. 

It’s important to note that the protection of Customer Data is a shared responsibility. Customers have responsibility and control over various measures, including: 

  • Data sharing: Customers have control over the nature of content they submit to the Services and the sharing of videos, templates, avatars, voices, and assets. 
  • Content generation: Customers can enable or disable the use of AI-assisted generation of content. 
  • Single Sign-On: Customers have control over how Single Sign-On (SSO) is governed on their end. 
  • Workspace access: Customers can manage access to their workspace by inviting other users or guests.

Intrusion Detection 

HomeTree Digital employs a robust intrusion detection system around its infrastructure. HomeTree Digital partners with 24/7 managed detection and response providers that specialize in identifying and addressing security threats across endpoints, cloud infrastructure, and identities. This proactive approach underpins our commitment to robust system security and data protection.  

Security Logs 

Security-relevant events originating from HomeTree Digital infrastructure, including events related to authentication and actions taken by staff, are logged and audited. These logs are stored for up to 4 years and are protected from unauthorized access. Logs cannot be deleted or modified, even by an administrator.  

Incident Management 

HomeTree Digital has a well-established and documented incident response plan for managing incidents. This plan is reviewed at least annually and is communicated to all relevant parties. We also have an incident response team that quantifies and monitors incidents involving security, availability, processing integrity, and confidentiality. 

All incidents are documented in HomeTree Digital’s security incident register, and all actions taken during an incident are documented and reviewed once the emergency is over. HomeTree Digital notifies impacted customers without undue delay of any unauthorized disclosure of their respective Customer Data by HomeTree Digital or its agents of which HomeTree Digital becomes aware, to the extent permitted by law. 

Data Encryption 

HomeTree Digital employs robust encryption mechanisms designed to protect Customer Data. All stored Customer Data is encrypted using the 256-bit Advanced Encryption Standard (AES-256). The encryption keys are stored and managed within the Amazon Key Management Service (KMS) and are rotated regularly. Amazon KMS uses hardware security modules (HSMs) that have been validated under the Federal Information Processing Standard 140-2 (FIPS 140-2). Amazon KMS is designed so that no one, including AWS employees, can retrieve the plaintext KMS keys from the service. 

All communication is encrypted in transit using TLS 1.2+. We have a cryptography policy in place, which outlines encryption and key management policies and procedures. 

Reliability, Backup, And Business Continuity 

HomeTree Digital has a robust system in place designed to improve reliability, backup, and business continuity 

Our infrastructure uses AWS services, which offer resilience against natural disasters in multiple availability zones. The target for full system recovery is set at 72 hours with a recovery point objective of 24 hours. We perform daily backups of the production databases for point-in-time recovery and daily snapshots, retaining these backups for at least five weeks. Backups are stored securely using AWS services, encrypted, and access-controlled, following the principle of least privilege. The backup recovery and deployment protocols are tested at least annually 

Redundant architecture exists such that resources are distributed across geographically dispersed data centers to help support continuous availability, as described in the data residency section below. 

Additionally, our business continuity and disaster recovery plans are tested at least annually. 

Data Residency 

Storage and processing is performed within the cloud infrastructure provided by Amazon Web Services (AWS). Customer Data is currently stored within the United States (U.S.), in data centers based in Ohio. Operational backups are also stored in Ohio. Storage facilities use multiple availability zones, each with redundant power and networking, and physically separated by a number of miles. Video processing is performed in the United States of America (USA), specifically in Ohio. 

Return of Customer Data 

During the term of a customer’s subscription, the customer is able to export generated videos from the Services via download onto an MP4 format. After the termination of a customer’s governing agreement with HomeTree Digital, we are able to assist them in retrieving any generated videos in MP4 format for up to 90 days following the end of the relationship. 

Deletion of Customer Data 

Customers manage the content they create using the Services and can request that HomeTree Digital delete it from the platform. Following a request, it can take up to 90 days for Customer Data to be permanently deleted from HomeTree Digital’s system, including backups. If a request is made to delete such Customer Data upon termination of an account, HomeTree Digital will delete all copies permanently and provide confirmation of deletion. If no request for deletion is made after termination of an account, the information will automatically be deleted within 90 days. HomeTree Digital uses AWS services for data erasure and relies on AWS for physical security controls, including ensuring proper data disposal.  

Personnel Practices 

HomeTree Digital has robust personnel practices in place to help HomeTree Digital exercise appropriate control and supervision over its personnel, including strict hiring policies with background checks and scrutiny based on job function and location. All employees are trained on information security and privacy policies as part of the onboarding process, with ongoing periodic security training provided at least annually. Employees must agree to our security policies.  

All employees are bound by our internal policies, including:  

  • Role-based access limitations designed around the principle of least privilege with a monitored approval process 
  • Execution of a Non-Disclosure Agreement or similar confidentiality agreements 
  • Comprehensive privacy and security training. 
  • Immediate termination of access upon conclusion of employment 
  • Physical access restrictions, such as key cards and video monitoring 
  • Full audit logging of all access to our backend infrastructure, including actions taken 
  • Proactive threat intelligence management, such as dark web monitoring 
  • Use of FIDO2 compliant biometric or security keys, strong password complexity, default multi-factor authentication, and a password manager