HECVAT Response — Habeo
Vendor: Habeo LLC (usehabeo.com) Contact: security@usehabeo.com Date: 2026-05-24
Habeo publishes two HECVAT artifacts so security reviewers can pick the format that fits their workflow:
- HECVAT 4.1.5 — Full response (XLSX): Download HECVAT-Habeo.xlsx. The complete 331-question EDUCAUSE workbook covering Organization, Product, Infrastructure, IT Accessibility, AI, Privacy, and Case-Specific sections. This is the canonical document for institutional security review.
- HECVAT Lite — Narrative summary (below): a 30-question prose version of the most-asked questions, kept here for reviewers who prefer a quick scan before downloading the workbook.
The HECVAT framework is owned by EDUCAUSE and Internet2 (HEISC) and licensed CC BY-NC-SA. Questions about Habeo's response: security@usehabeo.com.
HECVAT Lite — Narrative summary
Version: Lite (covers 30 of the 331 HECVAT 4.1.5 questions) Last updated: 2026-05-15
1. Company & Product Overview
Company name. Habeo. Product name. Habeo IT Asset Management Platform. Product description. A multi-tenant SaaS platform for higher-ed IT asset lifecycle management — purchase, deployment, assignment, warranty, depreciation, MDM ingestion, and retirement. Hosting environment. Vercel (serverless functions, edge + node runtime). Database hosted on Neon (managed Postgres). All US-region. Deployment model. SaaS — single multi-tenant deployment shared across customers, with strict per-organization isolation enforced at the database layer (row-level security).
2. Documentation
SOC 2 Type 1 / Type 2. SOC 2 Type 1 readiness assessment in progress (Phase 10). Type 1 audit scheduled for Q1 2027. Type 2 follows in Q3 2027. SOC 2 bridge letter. Available on request once Type 1 ships. ISO 27001. Not pursued in V1; targeted post-first-customer revenue.
3. Architecture, Hosting, & Multitenancy
Multi-tenant architecture. Single database, per-tenant row partitioning via an organization_id column on every business-data table. Postgres row-level security (RLS) policies enforce isolation at the database engine layer — a misbehaving application query that omitted the tenant filter would still return zero rows from other tenants.
Tenant isolation testing. CI runs a cross-tenant probe on every commit. The probe creates two orgs, seeds rows in each, and asserts that a query inside one org's tenant context returns zero rows from the other. The probe covers every tenant-scoped table (~20 tables as of Phase 10). The build fails if any assertion fails.
Database role separation. Two Postgres roles: habeo_owner (migrations only, full DDL) and habeo_app (runtime). The app role has REVOKE UPDATE, DELETE on audit-log and assignment-history tables; only INSERT is granted. Immutability is enforced at the database engine layer, not the application layer.
4. Data Encryption
At rest. AES-256 via Neon's managed encryption (and Vercel Blob's AES-256-GCM for any attachments). Customers can also bring their own KMS key via Neon's CMEK feature (Enterprise tier).
In transit. TLS 1.3 only. HSTS enabled with a 2-year max-age. Web app forces HTTPS via a Strict-Transport-Security response header.
Key management. Per-app secrets stored in Vercel's encrypted environment-variable system. Per-org MDM credentials in Phase 9 use env vars; Phase 13 will introduce envelope-encryption against a customer-rotatable KMS key.
5. Authentication & Identity
SSO. SAML 2.0 via Clerk's Enterprise Auth (Shibboleth, InCommon, Okta, Azure AD, Google Workspace, generic SAML). SCIM 2.0 directory sync. JIT user provisioning.
MFA. Required by default for all admin roles. Optional for viewer role (configurable per org).
Password policy. Delegated to Clerk's enforcement (minimum 8 chars, complexity, breached-password screening via HIBP). Customers using SAML SSO inherit their IdP's policy.
Session management. JWT-based sessions, 1-hour rolling expiry, refresh via Clerk's secure HTTP-only cookies. Logout invalidates server-side.
6. Authorization & Roles
Role model. Three roles per organization: Viewer (read-only, no financial fields), Admin (full asset operations), Config Admin (org settings, integrations, billing).
Authorization enforcement. Every server action calls requireAuth() or requireRole(roles) before any data access. The stripAssetForRole helper nulls financial fields server-side for Viewer responses — the client never receives them, so it cannot accidentally render them.
Per-college / per-department delegated admin. Roadmapped for Phase 13. The schema supports it today (every record carries assignedDepartmentId); the RBAC scoping is the remaining work.
7. Audit Logging
Audit trail. Every mutation writes an audit_logs row inside the same transaction as the mutation itself — atomic. Schema: (organizationId, userId, action, entityType, entityId, before, after, createdAt).
Immutability. audit_logs table has REVOKE UPDATE, DELETE FROM habeo_app. The runtime app role cannot tamper with history even if an attacker gained app-level access — only the migration role (habeo_owner, used by a single ops process) could modify.
Retention. 7 years by default. Extended retention available per contract.
Export. Audit logs are exportable as CSV by Config Admin via the SOC 2 evidence package.
8. Domain Event Bus
Event sourcing for state changes. Every mutation also writes to an events_outbox table within the same transaction. An Inngest cron drains the outbox and emits events to downstream consumers (webhooks, AI agents, workflow rules). The outbox pattern ensures domain events are never lost even when the consumer is temporarily unavailable.
9. Federal Grant Compliance
Uniform Guidance §200.313. Habeo tracks federal grant funds as first-class entities: every purchase order can reference a grant fund, and the asset detail page surfaces the funding source. Cost-by-grant-fund report exports for federal compliance reviews.
10. GASB 34/35
Depreciation methods supported. Straight-line, declining balance (configurable rate multiplier), and user-defined custom schedules with linear interpolation. Monthly book-value refresh job recomputes every asset's current_book_value on the first of each month. Historical snapshots in an immutable depreciation_runs table.
11. FERPA
Posture. Habeo is not a system of student record. The product handles IT asset data only — devices, departments, owners (staff/faculty). When Habeo data includes a person who happens to also be a student (e.g., a student assistant assigned a laptop), it is treated as employee data, not education record data.
12. Data Residency
Primary region. US (Neon + Vercel both in us-east-1). EU residency. Available on request via Neon's EU regions; carries a separate deployment. Data export. Customers can export all their data at any time via the Reports surface (CSV + Excel) or a Phase-17 public API.
13. Backup & Recovery
Database backups. Neon's automatic point-in-time recovery: 30-day retention with 1-second granularity. Disaster recovery RTO/RPO. RTO 4 hours, RPO 1 hour. Tested quarterly via a fail-over rehearsal in a staging environment.
14. Vulnerability Management
Dependency scanning. Renovate Bot opens PRs for security advisories within 24 hours of CVE publication. Snyk runs on every PR. Penetration testing. Annual third-party test by a CREST-certified firm. First test scheduled Q3 2026. Bug bounty. Email-based responsible disclosure program; HackerOne onboarding planned post-Type-2.
15. Incident Response
Notification. Confirmed security incidents that affect customer data are reported via email within 24 hours of confirmation, with full forensic report within 7 days. Runbook. Internal IR runbook covers identification, containment, eradication, recovery, post-mortem. Templates aligned with NIST SP 800-61r2.
16. Third-Party Subprocessors
Hosting. Vercel, Neon (Postgres), Resend (email). Auth. Clerk. Observability. Axiom (logs), PostHog (product analytics, no PII). No subprocessor has access to customer data beyond what's necessary to deliver their function, per signed DPAs.
17. Compliance Roadmap
| Item | Status |
|---|---|
| SOC 2 Type 1 | Readiness assessment Q2 2026; audit Q1 2027 |
| SOC 2 Type 2 | Q3 2027 |
| ISO 27001 | Post-revenue milestone |
| HIPAA | Not pursued — out of scope for higher-ed IT |
| GDPR | DPA available; data residency + deletion endpoints in place |
| HECVAT Full | 250-question response delivered on request when a second customer asks |
This document is a draft. The Habeo team welcomes specific HECVAT questions during sales conversations and will produce verbatim answers to any of the 250 standard questions on request.
Last updated: 2026-05-15.