Trust & Security

Built for the kind of audit our customers run on themselves.

HEXDI handles export-control assessments, audit logs, and regulator-facing reports — the same scrutiny our customers face from BIS, DDTC, and DOJ is the scrutiny we apply to ourselves. This page is the source of truth for our security posture; it changes when reality changes.

[TBD]

SOC 2 Type II

Audited by to be determined covering to be determined. Report available under NDA.

In progress

FedRAMP Tailored

Pursuing FedRAMP Tailored authorization for the GovCloud deployment. Required for federal customers handling CUI.

Always

Encryption at rest & in transit

AES-256 with provider-managed keys; customer-managed keys on Enterprise at rest. TLS 1.2+ on every endpoint in transit.

[TBD]

Data residency

All customer data hosted in to be determined (to be determined). No cross-region replication off U.S. soil.

Controls

How HEXDI is run, day to day.

The controls below are what an auditor would actually inspect. Where a value is still being finalized, you'll see it called out instead of glossed over.

Access control

SSO with SAML 2.0 (Okta, Azure AD, Google) on Enterprise. MFA enforced on all admin accounts. Role-based access with audit log retained for the life of the workspace.

Backups & recovery

Point-in-time recovery (RPO to be determined) and tested DR plan (RTO to be determined). Backups encrypted with provider-managed keys and replicated within the same region.

Vulnerability mgmt

Annual third-party penetration test. Continuous static and dependency scanning in CI. Critical CVEs patched within 24 hours.

Logging & audit

Every change to assessment data is captured in an append-only audit log keyed to user, IP, and time. Reports are content-addressed and signed.

Personnel

Background checks on all employees with production access. Annual security training. [Confirm whether all engineers must be U.S. persons for ITAR-touching customers.]

Sub-processors

Who else touches your data.

The full list of third parties with access to any portion of customer data. We notify customers in writing 30 days before adding a new sub-processor.

Vendor
Purpose
Region
to be determined
Application hosting, database, object storage
United States
to be determined
Transactional email — verification, alerts
United States
to be determined
Error monitoring (Sentry / similar) — scrubbed of customer data
United States
to be determined
Subscription billing — Stripe or similar
United States

Data lifecycle

Your data, on your timeline.

Export at any time

Every assessment, snapshot, and audit log is exportable as JSON or PDF from the product itself — no support ticket required.

30 days deletion

On request, we hard-delete customer data within 30 days. Backups roll off within an additional 35 days. We confirm in writing.

No training on your data

We do not use customer assessment content to train models. The content-addressed audit log makes any such use detectable after the fact.

Disclosure

Found something? Tell us.

We treat security reports as the most valuable kind of feedback there is. Email [email protected] with a description and reproduction steps. We'll acknowledge within one business day and keep you posted on the fix.

Read privacy policyPGP key on request