Security

Last updated: February 7, 2026

Encryption
Authentication & Access Control
Infrastructure
Audit Trail Integrity
Compliance
Responsible Disclosure

Security is foundational to hatiOS. As an AI agent governance platform handling sensitive reasoning traces and enforcing critical policies, we build security into every layer of the stack.

1. Encryption

In Transit

TLS 1.3

All data transmitted between clients, the hatiOS proxy, and backend services is encrypted using TLS 1.3. This includes agent-to-proxy, proxy-to-LLM, and dashboard-to-API connections.

At Rest

AES-256

All stored data — including reasoning traces, policy configurations, and customer metadata — is encrypted at rest using AES-256 on Google Cloud Platform managed encryption keys.

2. Authentication & Access Control

API keys — Hashed with bcrypt before storage. Keys follow the format hk_live_* (agent-scoped) and hk_admin_* (org-wide).
Dashboard authentication — JWT with automatic rotation
Role-based access control (RBAC) — Admin, Operator, and Viewer roles with granular permissions
Enterprise SSO — SAML 2.0 and OIDC via WorkOS (Okta, Azure AD, PingIdentity)
Multi-tenant isolation — All resources scoped by organization ID; no cross-tenant data access

3. Infrastructure

Google Cloud Platform — Primary infrastructure provider
VPC networking — Services deployed within isolated Virtual Private Cloud
Cloud Run — Container-based deployments with automatic scaling
Cloud SQL — Managed PostgreSQL with automated backups and failover
Network policies — Strict ingress/egress rules; internal services are not publicly accessible

4. Audit Trail Integrity

The Agent Flight Recorder produces cryptographically verifiable audit trails:

SHA-256 content hashing — Every reasoning trace entry is hashed, creating a tamper-evident chain
Immutable storage — Trace data is append-only; recorded entries cannot be modified or deleted by users
TimescaleDB hypertables — Time-series optimized storage supporting 100,000+ events per second
Compliance exports — Audit-ready packages for SOC2, HIPAA, and AI governance frameworks

5. Compliance

SOC2 Type II

In progress. Covers security, availability, and confidentiality trust service criteria.

HIPAA BAA

Available for Enterprise customers. Business Associate Agreements provided upon request.

PDPA

Compliant with Singapore's Personal Data Protection Act. See our Privacy Policy.

GDPR

Data subject rights supported. Standard Contractual Clauses for international transfers. Data residency options for Enterprise.

6. Responsible Disclosure

Report a Vulnerability

We take security vulnerabilities seriously. If you discover a security issue in the hatiOS platform, please report it responsibly.

Email: security@hatios.com

We ask that you:

Provide sufficient detail to reproduce the issue
Allow reasonable time for us to investigate and remediate before public disclosure
Avoid accessing or modifying data that does not belong to you

We commit to acknowledging receipt within 48 hours and providing an initial assessment within 5 business days.