Security
statement.

01Overview

Security is a product requirement at Hypedata, not a department. Our architecture, engineering practices, and operational controls are designed around three commitments:

• Confidentiality — Customer Data is processed only for service delivery, is encrypted in transit and at rest, and is accessible only to authorized personnel on a need-to-know basis.
• Integrity — requests are routed, rendered, and returned without unauthorized modification; audit trails are immutable.
• Availability — the Service is designed to withstand single-zone and single-region failures.

This page describes the controls in place as of the “Updated” date above. Our detailed whitepaper and most recent SOC 2 Type II report are available to Customers and prospects under NDA on request at security@hypelabs.llc.

02Compliance & certifications

03Infrastructure

Hypedata runs on Amazon Web Services with an active-active topology across multiple regions:

• Control plane — us-east-1 and eu-west-1.
• Request plane — egress points in 180+ countries via contracted proxy providers.
• Customer data residency — EU customers may elect EU-only control-plane processing on Scale plans.

Each environment (development, staging, production) is fully isolated at the AWS account and VPC level. Production has no shared credentials with lower environments and no shared IAM roles.

04Encryption

• In transit — TLS 1.3 for all external endpoints; mTLS between internal microservices; HSTS and HTTP/2 on all public traffic.
• At rest — AES-256-GCM at disk, table, and object-storage layers. Keys managed by AWS KMS with automatic annual rotation.
• Secrets — stored in a Vault cluster; never checked into source control; accessed via short-lived tokens.
• Customer-managed keys (CMK) — available on Scale plans for encryption of long-lived Customer artifacts.

05Access control

• Employee access — every engineer authenticates via SSO with hardware-key MFA enforced. Production access is role-based, least-privilege, time-bound, and requires peer approval via break-glass workflow.
• Quarterly reviews — entitlement reviews are run every quarter; stale access is revoked automatically.
• Customer access — password + optional TOTP/WebAuthn MFA; SSO (SAML/OIDC) available on Growth and Scale; SCIM provisioning on Scale.
• API keys — scoped, individually revocable, and auditable. Rotation endpoints in the API.

06Network security

• Perimeter — AWS Shield Advanced for DDoS mitigation; CloudFront + WAF with managed and custom rule sets in front of the API.
• Segmentation — micro-VPCs per service tier, with east-west traffic mediated by service mesh and zero-trust policies.
• No public admin surfaces — admin dashboards are reachable only via the corporate SSO gateway.
• Egress — proxy egress is rate-limited, monitored, and segregated from control-plane egress.

07Monitoring & incident response

• SIEM — 24/7 aggregation, correlation, and alerting on infrastructure, application, and API logs.
• Anomaly detection — baselines on request volume, egress patterns, and account behaviours; automated throttling on deviation.
• On-call — security and reliability rotations with documented runbooks and PagerDuty integration.
• Incident response — formal IR playbooks covering triage, containment, eradication, recovery, and post-mortem. We commit to notifying affected Customers within 72 hours of confirming a personal data breach, consistent with the DPA.
• Audit logs — immutable, retained 12 months, exportable to Customers on Scale.

08Secure development

• Peer review — no code reaches production without at least one human review and automated CI checks.
• Static analysis (SAST) — integrated into CI; high-severity findings block merges.
• Dependency scanning — daily scans; automated PRs for patched versions; CVE triage SLAs (P1 < 24h).
• Secret scanning — pre-commit and CI-level; active key revocation if a leak is detected.
• Penetration testing — independent external pen-tests at least annually on production-facing systems; internal red-team exercises quarterly.
• Threat modelling — new features undergo structured threat modelling before launch.

09Personnel

• Background checks for all employees with production access.
• Written confidentiality and acceptable-use agreements.
• Mandatory annual security and privacy training; monthly phishing simulations.
• Clean-desk, device-encryption, and screen-lock policies enforced via MDM.
• Offboarding within 4 hours of separation, with access revocation audited.

10Business continuity & disaster recovery

11Responsible disclosure

We welcome reports from security researchers. We will not pursue legal action against researchers who act in good faith and follow these guidelines:

• Test only accounts you own.
• Do not exfiltrate data beyond the minimum needed to demonstrate a vulnerability.
• Do not perform denial-of-service, spam, or social-engineering attacks against our staff.
• Give us reasonable time to remediate before public disclosure (default: 90 days).

Send reports to security@hypelabs.llc, PGP key available at /.well-known/security.txt. A monetary bounty program is operated for qualifying findings via our partner platform.

12Contact