Security & Technology

Hyphen AI is committed to providing a secure, reliable platform for managing your application deployments, secrets, and infrastructure. This document outlines our security policies and practices.

Table of Contents

• Security Policy, Risk, and Governance
• Access Management
  • Authentication & Authorization
  • Access Control Principles
  • Access Review Process
  • Audit Logging
• Business Continuity & Disaster Recovery
  • Operations
  • Backup & Recovery
  • Service Dependencies
• Communications Security
  • Network Security
  • Monitoring
• Cryptography & Encryption
  • Encryption Architecture
  • Data Protection
  • Customer Data Isolation
• Operations
  • Infrastructure
  • Change Management
  • Version Control
• Privacy
• Security Incident Management
  • Incident Classification
  • Response Process
  • Customer Communication
• Supplier Management
• System Acquisition, Development, and Maintenance
  • Secure Development Practices
  • Change Control
• Questions & Support

Security Policy, Risk, and Governance

Hyphen AI conducts regular risk assessments covering:

• Information security risks
• Operational and infrastructure risks
• Compliance and regulatory risks
• Third-party and vendor risks

Identified risks are classified by severity and prioritized for remediation based on likelihood and impact. Risk register is maintained and reviewed on a regular cadence.

Regular compliance validation activities include:

• Backup restoration testing
• Access reviews across all systems
• Vendor management review
• Risk assessment and monitoring
• Technical compliance validation
• Policy and documentation review
• Recovery objective validation

Access Management

Authentication & Authorization

Access to Hyphen AI systems and customer data is controlled through:

• Role-based access control with defined permissions
• Multi-factor authentication (MFA) enforced for all accounts
• Single sign-on (SSO) integration capabilities
• API key authentication with audit trails

Access Control Principles

Internal access follows:

• Least Privilege: Users granted minimum access needed for their role
• Need-to-Know: Access based on job function and business need
• Regular Review: Periodic verification that access remains appropriate

Administrative access:

• Limited to essential personnel
• Subject to additional controls and monitoring
• All administrative actions logged and auditable

Access Review Process

• Regular reviews of user accounts, administrative access, and infrastructure permissions
• Dormant account detection and remediation
• Timely access removal upon identification of unnecessary permissions
• Access revocation procedures for departing team members

Audit Logging

All access to systems and customer data is logged, including:

• Authentication events and access attempts
• Administrative actions and configuration changes
• Data access and modifications
• Access logs are retained and available for audit purposes

Business Continuity & Disaster Recovery

Operations

• Fully remote operations with no dependency on physical office locations
• Distributed team structure for operational resilience
• Communication and collaboration infrastructure with high availability

Backup & Recovery

• Automated database backups with defined retention policies
• Configuration and infrastructure definitions version controlled
• Multi-zone data replication for redundancy
• Defined Recovery Time Objectives (RTO) for critical services
• Defined Recovery Point Objectives (RPO) to limit data loss
• Regular backup restoration testing to validate recovery procedures

Service Dependencies

Hyphen AI infrastructure relies on enterprise-grade cloud platforms with:

• Multi-zone and multi-region deployment capabilities
• High availability service level agreements
• Built-in redundancy and automatic failover
• Established disaster recovery capabilities

Note: These recovery objectives apply to Hyphen AI systems. Customer-specific data recovery scenarios are addressed through product capabilities documented separately.

Communications Security

Network Security

• All communications encrypted in transit using industry-standard protocols
• API endpoints secured with SSL/TLS
• Network segmentation and access controls
• Multi-zone deployments for availability and resilience

Monitoring

• Continuous monitoring of systems and infrastructure
• Security event logging and analysis
• Automated alerting for anomalous activity
• Centralized log aggregation and retention

Cryptography & Encryption

Encryption Architecture

Hyphen AI employs a zero-knowledge encryption architecture for secrets management:

• Customer secrets encrypted locally using either Hyphen AI-managed or customer-managed encryption keys
• Encryption and decryption operations performed client-side
• Sensitive data never accessible to Hyphen AI in plaintext

Data Protection

• Data encrypted at rest using industry-standard encryption
• Data encrypted in transit using SSL/TLS
• Encryption key rotation capabilities available
• Cryptographic operations follow industry best practices

Customer Data Isolation

• Customer data logically isolated and access-controlled
• Cloud provider integrations follow principle of least privilege
• Temporary credentials and role assumption where applicable
• Permissions scoped to minimum required for functionality

Operations

Infrastructure

Hyphen AI infrastructure is deployed across multiple cloud providers:

• Multi-zone deployments for high availability
• Regional redundancy for critical services
• Automated deployment and configuration management
• Infrastructure as code for consistency and auditability

Change Management

All changes to production systems follow a defined process:

• Peer review required before deployment
• Automated testing and validation
• Staged rollout procedures
• Documented rollback capabilities
• Emergency change procedures with appropriate approval and documentation

Version Control

• All code and configuration changes version controlled
• Full audit trail of changes with attribution
• Rollback capabilities for recovery
• Protection against unauthorized modifications

Privacy

Hyphen AI's architecture is designed to protect customer privacy:

• Customer data encrypted end-to-end with either Hyphen AI-managaed or customer-managed keys
• Customers maintain complete control over their sensitive data
• Data collection limited to what is necessary to provide services
• Compliance with applicable data protection regulations

Security Incident Management

Incident Classification

Security incidents are classified by severity with corresponding response procedures:

• Critical incidents: Active breach, data exposure, complete service outage
• Major incidents: Suspected compromise, significant service degradation
• Minor incidents: Security vulnerability, limited impact

Response Process

Hyphen AI follows a structured incident response process:

1. Detection & Reporting - Incident declaration and team mobilization
2. Assessment - Severity determination and scope identification
3. Containment - Immediate actions to limit impact
4. Investigation - Root cause analysis and impact assessment
5. Resolution - Remediation and service restoration
6. Post-Incident Review - Lessons learned and preventive measures

Customer Communication

Customers are notified promptly for:

• Data breaches or potential exposure of customer data
• Extended service outages affecting availability
• Security incidents that may impact customer operations

Breach notifications follow applicable regulatory requirements including GDPR, CCPA, and other relevant data protection laws.

Supplier Management

Third-party vendors that process, store, or transmit data are evaluated for:

• Security posture and certifications (SOC 2, ISO 27001, or equivalent)
• Data handling and privacy practices
• Access controls and audit capabilities
• Availability commitments and historical reliability
• Compliance with data protection regulations (GDPR, CCPA)

Critical vendors are reviewed regularly to ensure:

• Security certifications remain current
• Service quality meets commitments
• No material changes to data handling or security practices
• Continued alignment with Hyphen AI security standards

System Acquisition, Development, and Maintenance

Secure Development Practices

• Security considerations integrated throughout development lifecycle
• Code review requirements for all changes
• Automated security testing in deployment pipelines
• Dependency scanning and vulnerability management
• Secure coding standards and developer training

Change Control

Production changes are managed through:

• Documented change control processes
• Peer review and approval requirements
• Automated testing and validation
• Rollback procedures for failed changes
• Exception processes for emergency security fixes with appropriate oversight

Questions & Support

For questions about our security practices or to report a security concern email [email protected].

Last updated: 2025-10-30