Skip to main content

Trust & Security

Last updated: March 2026

HAIEC is a tool that helps your organisation demonstrate AI governance. This page explains how we handle data, what infrastructure we use, and where our own security posture stands — honestly.

The most important thing to know

HAIEC does not require access to your production data, user data, or sensitive business data to perform analysis. Our static scanner reads source code structure and configuration. Our runtime engine sends pre-defined, safe attack simulations to your test endpoints. Analysis results — findings, scores, and evidence hashes — are what we store. Not your source code, not your users' data.

1. Data Handling

What we store

  • Scan metadata: scan ID, repository URL, branch, status, finding counts, timestamps.
  • Finding records: file path, line range, rule ID, severity, description. No source code content.
  • Evidence hashes: SHA-256 content hashes for tamper detection. Not the underlying content.
  • Assessment responses: your answers to compliance wizard questions, stored per your account.
  • Account data: name, email, organisation name, subscription tier.
  • NYC LL144 candidate identifiers: hashed using SHA-256 before storage. Raw PII is not retained.

What we do not store

  • Source code content. Code is analysed in-memory during a scan and discarded.
  • Your GitHub repository files. The GitHub App collects metadata only (branch protection status, file presence checks).
  • Runtime test target responses beyond pass/fail outcome and extracted finding context.
  • Payment card data. Payments processed entirely by Stripe (PCI DSS Level 1).

Do we process PII?

For most customers: no. The platform operates on code structure and configuration. For NYC LL144 bias audit customers, candidate identifiers are processed but are hashed before any storage. We do not retain raw candidate PII.

Is analysis transient?

Yes. The scan engine processes your repository in an ephemeral Modal container. The container is torn down after the scan completes. Only the structured finding output is returned and persisted — not the code that was analysed.

Data retention

  • Scan results: retained until you delete them or your account is closed.
  • Assessment data: retained until you delete the assessment.
  • Account data: deleted within 30 days of account closure on request.
  • Audit logs: retained for 7 years per compliance record-keeping norms.

2. Deployment Options

Cloud (current)

Hosted on Vercel + Neon + Modal. US region. No setup required.

Self-hosted (future roadmap)

We are exploring a self-hosted scanner option for organisations that require data to remain within their own perimeter. Not available yet. Contact us if this is a requirement.

3. Infrastructure

We leverage SOC 2–compliant infrastructure providers. HAIEC itself has not yet completed a SOC 2 Type II audit. We are working toward this.

ProviderRoleCertification
VercelApplication hosting & edge networkSOC 2 Type II
NeonPostgreSQL database (serverless)SOC 2 Type II
ModalScan execution compute (ephemeral containers)SOC 2 Type II
StripePayment processingPCI DSS Level 1
ResendTransactional emailSOC 2 Type II
GitHubSource integration & App platformSOC 2 Type II
SentryError monitoringSOC 2 Type II
UpstashRedis — rate limiting & cachingSOC 2 Type II

Full list with data processing details: Subprocessor List

4. Access & Security Controls

Encryption

  • In transit: TLS 1.2+ enforced on all connections
  • At rest: AES-256 (Neon database)
  • Evidence integrity: SHA-256 content hashing
  • HTTPS-only; HTTP requests redirected

Access control

  • OAuth 2.0 via GitHub / Google (NextAuth)
  • All DB queries scoped to authenticated user ID
  • API keys: HMAC-signed, rotatable, audit-logged
  • GitHub App: installation-scoped, minimum permissions
  • Tenant isolation enforced at query level

Logging

  • Every scan logged with user ID, repo, branch, timestamps
  • Evidence records include collection timestamp and rule version
  • All API key authentications logged
  • Webhook deliveries logged with delivery ID and outcome
  • Error monitoring via Sentry

Hardening

  • Zod schema validation on all API inputs
  • Parameterised queries via Prisma ORM (no raw SQL)
  • CSRF protection on all form submissions
  • Content Security Policy headers via middleware
  • Rate limiting: Redis-backed, fail-closed

5. Our Certification Posture (Honest)

SOC 2 Type II: Not yet completed. Our infrastructure providers are SOC 2 Type II certified. We are building toward our own audit. We will not claim SOC 2 certification until an independent auditor issues the report.

ISO 27001: Not certified. Controls are designed with ISO 27001 principles in mind.

GDPR: We maintain data processing records (Article 30), support deletion requests, and our architecture minimises personal data collection. We are not claiming GDPR "certification" (no such certification exists) — we are describing design alignment.

Penetration testing: Not yet completed by a third-party firm. Customers requiring a penetration test report should contact us.

Related documents

Security Practices (technical detail)Data Handling PolicyPrivacy PolicyData Processing Agreement (DPA)Subprocessor ListIncident Response PolicyVulnerability Disclosure PolicyResponsible AI Principles

Security questions or enterprise due diligence? security@haiec.com or contact us.