Home · Security & Compliance

Security & Compliance

Last reviewed April 2026 · Plain English

HMI Library serves engineers who work on operational technology. We respect the trust that takes. Below is exactly where your data lives, who sees it and how to talk to us if something feels off.

What we store about you

Account data: email, name, optional company / VAT ID. Stored in PostgreSQL on Supabase EU (Frankfurt).
Payment data: handled entirely by Stripe. We never receive your card details, expiry, CVV — Stripe gives us a customer ID and a subscription status. Stripe is PCI-DSS Level 1 certified.
Download log: which symbol you exported, in which format, timestamp. Used for usage stats in your dashboard. Anonymized after 90 days.
Email opt-in (optional): if you grab the cheat sheet lead magnet. Marketing emails only sent if you tick the consent box.

What we do NOT store

❌ Any SCADA / PLC / HMI runtime data. The catalog is design-time only — your tags, screens and PLC configs never leave your network.
❌ Your customer data, project files, or anything proprietary to your end customer.
❌ Plaintext passwords. Authentication via Supabase Auth — bcrypt-hashed passwords, OAuth via Google.
❌ Card details or financial data. All payment flows redirect to Stripe Checkout / Stripe Customer Portal.

Where data lives

EU · Frankfurt

PostgreSQL database

Supabase EU region. Daily encrypted backups. Row-Level Security enforced for all tables.

EU · Ireland

Payments / Subscriptions

Stripe Ireland (Stripe Payments Europe Ltd). PCI-DSS Level 1. Customer Portal for self-service billing.

Global CDN

Static assets & web app

Cloudflare Workers (anycast). Edge caching of public assets only — no user data on edge nodes.

Email (transactional)

Supabase email service for auth confirmations + password reset. Marketing email opt-in only.

GDPR & your rights

HMI Library S.L. is the Data Controller. You have the right to:

Access: request a copy of all data we hold about you.
Rectify: change anything inaccurate (most fields self-service from your dashboard).
Erase: delete your account and all associated data. Email hello@hmilibrary.com; full deletion within 30 days.
Port: receive your data in a machine-readable format.
Object: opt out of marketing or processing not strictly necessary for the service.

See the Privacy Policy for the formal version with subprocessor list.

Authentication & access control

Email + password (bcrypt) or Google OAuth.
Session tokens via Supabase Auth — JWT short-lived + refresh.
Rate limiting on signup and signin endpoints.
Generic error messages to prevent email enumeration ("Invalid credentials" — same response for unknown email vs. wrong password).
Minimum password length 10 characters at signup.

Subprocessors

We use a deliberately small set of well-vetted vendors:

Supabase Inc. (US, EU subsidiaries) — database, auth, edge functions. Data residency: EU.
Stripe Payments Europe Ltd. (Ireland) — payment processing.
Cloudflare Inc. — CDN and DNS (no user data persisted).
Google Workspace — operational email (hello@hmilibrary.com).

We do not use third-party analytics on the marketing site (no Google Analytics, no tracking pixels).

Reporting a vulnerability

Found something? Email security@hmilibrary.com with details. We respond within 72 hours and credit reporters in our changelog (with permission). No bounty program currently — we're a small operation — but we're respectful and grateful.

What's NOT certified yet

Honest disclosure:

We're not SOC 2 Type II — too early-stage to justify the audit cost. Roadmap item for 2026 if Enterprise demand pulls it.
We're not ISO 27001 — same.
We don't currently offer SSO / SAML — Studio plan supports Google OAuth; SAML is on the Enterprise roadmap.

If your procurement requires any of these and we're a strong fit otherwise, email us — we're happy to commit to a timeline.

Changelog

April 2026: Page published. Document version 1.0.