Security & Technology

Hyphen AI is committed to providing a secure, reliable platform for managing your application deployments, secrets, and infrastructure. This document outlines our security policies and practices.

Security Policy, Risk, and Governance

Hyphen AI conducts regular risk assessments covering:

Information security risks
Operational and infrastructure risks
Compliance and regulatory risks
Third-party and vendor risks

Identified risks are classified by severity and prioritized for remediation based on likelihood and impact. Risk register is maintained and reviewed on a regular cadence.

Regular compliance validation activities include:

Backup restoration testing
Access reviews across all systems
Vendor management review
Risk assessment and monitoring
Technical compliance validation
Policy and documentation review
Recovery objective validation

Access Management

Authentication & Authorization

Access to Hyphen AI systems and customer data is controlled through:

Role-based access control with defined permissions
Multi-factor authentication (MFA) enforced for all accounts
Single sign-on (SSO) integration capabilities
API key authentication with audit trails

Access Control Principles

Internal access follows:

Least Privilege: Users granted minimum access needed for their role
Need-to-Know: Access based on job function and business need
Regular Review: Periodic verification that access remains appropriate

Administrative access:

Limited to essential personnel
Subject to additional controls and monitoring
All administrative actions logged and auditable

Access Review Process

Regular reviews of user accounts, administrative access, and infrastructure permissions
Dormant account detection and remediation
Timely access removal upon identification of unnecessary permissions
Access revocation procedures for departing team members

Audit Logging

All access to systems and customer data is logged, including:

Authentication events and access attempts
Administrative actions and configuration changes
Data access and modifications
Access logs are retained and available for audit purposes

Business Continuity & Disaster Recovery

Operations

Fully remote operations with no dependency on physical office locations
Distributed team structure for operational resilience
Communication and collaboration infrastructure with high availability

Backup & Recovery

Automated database backups with defined retention policies
Configuration and infrastructure definitions version controlled
Multi-zone data replication for redundancy
Defined Recovery Time Objectives (RTO) for critical services
Defined Recovery Point Objectives (RPO) to limit data loss
Regular backup restoration testing to validate recovery procedures

Service Dependencies

Hyphen AI infrastructure relies on enterprise-grade cloud platforms with:

Multi-zone and multi-region deployment capabilities
High availability service level agreements
Built-in redundancy and automatic failover
Established disaster recovery capabilities

Note: These recovery objectives apply to Hyphen AI systems. Customer-specific data recovery scenarios are addressed through product capabilities documented separately.

Communications Security

Network Security

All communications encrypted in transit using industry-standard protocols
API endpoints secured with SSL/TLS
Network segmentation and access controls
Multi-zone deployments for availability and resilience

Monitoring

Continuous monitoring of systems and infrastructure
Security event logging and analysis
Automated alerting for anomalous activity
Centralized log aggregation and retention

Cryptography & Encryption

Encryption Architecture

Hyphen AI employs a zero-knowledge encryption architecture for secrets management:

Customer secrets encrypted locally using either Hyphen AI-managed or customer-managed encryption keys
Encryption and decryption operations performed client-side
Sensitive data never accessible to Hyphen AI in plaintext

Data Protection

Data encrypted at rest using industry-standard encryption
Data encrypted in transit using SSL/TLS
Encryption key rotation capabilities available
Cryptographic operations follow industry best practices

Customer Data Isolation

Customer data logically isolated and access-controlled
Cloud provider integrations follow principle of least privilege
Temporary credentials and role assumption where applicable
Permissions scoped to minimum required for functionality

Operations

Infrastructure

Hyphen AI infrastructure is deployed across multiple cloud providers:

Multi-zone deployments for high availability
Regional redundancy for critical services
Automated deployment and configuration management
Infrastructure as code for consistency and auditability

Change Management

All changes to production systems follow a defined process:

Peer review required before deployment
Automated testing and validation
Staged rollout procedures
Documented rollback capabilities
Emergency change procedures with appropriate approval and documentation

Version Control

All code and configuration changes version controlled
Full audit trail of changes with attribution
Rollback capabilities for recovery
Protection against unauthorized modifications

Privacy

Hyphen AI's architecture is designed to protect customer privacy:

Customer data encrypted end-to-end with either Hyphen AI-managaed or customer-managed keys
Customers maintain complete control over their sensitive data
Data collection limited to what is necessary to provide services
Compliance with applicable data protection regulations

Security Incident Management

Incident Classification

Security incidents are classified by severity with corresponding response procedures:

Critical incidents: Active breach, data exposure, complete service outage
Major incidents: Suspected compromise, significant service degradation
Minor incidents: Security vulnerability, limited impact

Response Process

Hyphen AI follows a structured incident response process:

Detection & Reporting - Incident declaration and team mobilization
Assessment - Severity determination and scope identification
Containment - Immediate actions to limit impact
Investigation - Root cause analysis and impact assessment
Resolution - Remediation and service restoration
Post-Incident Review - Lessons learned and preventive measures

Customer Communication

Customers are notified promptly for:

Data breaches or potential exposure of customer data
Extended service outages affecting availability
Security incidents that may impact customer operations

Breach notifications follow applicable regulatory requirements including GDPR, CCPA, and other relevant data protection laws.

Supplier Management

Third-party vendors that process, store, or transmit data are evaluated for:

Security posture and certifications (SOC 2, ISO 27001, or equivalent)
Data handling and privacy practices
Access controls and audit capabilities
Availability commitments and historical reliability
Compliance with data protection regulations (GDPR, CCPA)

Critical vendors are reviewed regularly to ensure:

Security certifications remain current
Service quality meets commitments
No material changes to data handling or security practices
Continued alignment with Hyphen AI security standards

System Acquisition, Development, and Maintenance

Secure Development Practices

Security considerations integrated throughout development lifecycle
Code review requirements for all changes
Automated security testing in deployment pipelines
Dependency scanning and vulnerability management
Secure coding standards and developer training

Change Control

Production changes are managed through:

Documented change control processes
Peer review and approval requirements
Automated testing and validation
Rollback procedures for failed changes
Exception processes for emergency security fixes with appropriate oversight

Questions & Support

For questions about our security practices or to report a security concern email [email protected].

Last updated: 2025-10-30