What we do with your data

WERQ Hub runs on Supabase Postgres in a US-West region (Oregon). All database storage is encrypted at rest by the underlying provider (AES-256). All connections to the application use TLS 1.2+ in transit.

Authentication is handled by Supabase Auth (magic-link + OAuth where applicable). We don’t store passwords.

Your peer/case data stays inside your organization’s workspace. Other organizations on WERQ Hub don’t see your peers, your cases, your referral logs, or your internal notes — ever. Postgres row-level security enforces this at the database layer, not just in application code.

Two things are shared across the network: the Journey library content (the published protocols + steps + resources) and aggregate, anonymized usage metrics (counts of Journeys opened, referrals generated). No peer-identifying data is ever included in shared metrics.

Cross-org sharing only happens through explicit Partner agreements that both orgs accept, or with explicit peer consent on a specific case.

WERQ Hub is not a HIPAA-covered entity and we don’t sign Business Associate Agreements (BAAs) at this time. We treat the data as if we were — encryption at rest and in transit, principle of least privilege for staff access, access-logged admin actions — but we’re honest that we’re not a HIPAA shop today.

For most community-org case management work, this is fine. PHI-heavy clinical workflows should use a HIPAA-covered EHR for the clinical record, with WERQ Hub as the case-coordination layer.

A small number of WERQ Together staff (WERQ staff + the engineering team) have admin access to the production database for operational support and platform maintenance. Every admin action that touches user/org/case data is logged in an append-only audit log we can produce on request.

We don’t access peer data unless you ask us to (e.g., for a support ticket).

Daily database backups are kept by our infrastructure provider for at least 7 days. Point-in-time recovery is available within the same window for disaster scenarios.

Your data is yours. You can request a full export of your organization’s cases, peer data, and referral logs at any time by emailing doug@werqhub.org. We aim to deliver within 5 business days.

If we identify a security incident affecting your organization’s data, we’ll notify you by email within 72 hours of confirming the incident, with what we know and what we’re doing about it. Follow-up communications continue until the incident is resolved.

We’ve had no security incidents to disclose.

To be straight with you: we’re a small nonprofit, not a large SaaS company. We don’t have SOC 2 Type II, we’re not ISO 27001 certified, we don’t have a dedicated security team, and we don’t maintain a public security disclosure program at this stage.

What we do have: engineers who care about not screwing this up, a small attack surface, sensible defaults from the platforms we build on, and a willingness to talk through specific concerns your organization has.

If your organization requires a completed vendor security questionnaire, send it to doug@werqhub.org and we’ll fill it out within 5 business days. Most reviewers tell us this page covers 80% of what they ask, so we appreciate you starting here.