Security & Compliance
Hypersave is built as a substrate for AI agents and operator-built applications. We treat security as a product-design constraint, not a post-launch retrofit. This page documents our current posture, compliance roadmap, and how to engage our security team.
Compliance posture
| Framework | Status |
|---|---|
| SOC 2 Type II | Preparation underway alongside public launch. Report available under NDA on request once completed. |
| GDPR (EU) | Data Processing Agreement available at /dpa. EU Standard Contractual Clauses used for cross-border transfers. |
| UK GDPR | UK International Data Transfer Addendum applied where relevant. |
| Singapore PDPA | Compliant; Hypersave's operating entity is Singapore-registered. |
| EU AI Act (Article 53 GPAI substrate) | We provide technical record-keeping primitives (per-request audit log, trace propagation, exportable usage data) for the operator's Article 12/14 obligations. We do not assume Article 6 high-risk-system obligations on the operator's behalf. |
| HIPAA | Out of scope at launch. We do not currently sign BAAs. Customers must not submit PHI through the Service. |
Technical controls
- Encryption in transit. TLS 1.2+ for all customer-facing endpoints. HSTS enabled. No support for legacy ciphers.
- Encryption at rest. All persistent storage encrypted at rest using provider-managed keys (AES-256 or equivalent).
- Secrets management. Customer-supplied secrets are stored in an isolated vault, mounted into compute environments as environment-variable references, never logged, never returned via API after creation.
- Authentication. Per-account API keys with scoped policies (region, SKU, tier, max spend). Account login supports TOTP and WebAuthn; MFA can be enforced for organisation members by admins.
- Authorisation. Role-based access control for organisation members. Per-key scoping enforced server-side, not just in client code.
- Network. Edge-terminated TLS; rate limits at the edge; service-to-service authentication for internal calls. Customer pods are isolated by tenant boundary.
- Audit logging. All administrative actions (key creation, billing changes, policy changes, kill-switch activation) are logged immutably and surfaced to the customer in the dashboard's audit page.
Operational controls
- Least-privilege access for personnel; access reviewed periodically
- Background checks for personnel with production access
- Mandatory security training for all engineering staff
- Documented incident response runbook and escalation paths
- Status page at status.hypersave.ai (forthcoming) with per-subsystem indicators and historical incident log
- Post-incident reviews for P1 incidents published within 5 business days
Application security
- Secure software development lifecycle with code review on every change
- Dependency vulnerability scanning on every build
- Static analysis and secrets scanning pre-commit
- External penetration testing planned annually post-public-launch
- Webhook signatures and idempotency keys to prevent replay and double-processing
Sub-processors
Hypersave engages the following sub-processors in delivering the Service. This list is provided as our current and planned set; material changes are announced at least 30 days in advance.
| Category | Sub-processor | Purpose |
|---|---|---|
| Payment processing | Stripe | Billing, payment methods, invoicing, tax compliance |
| Inference upstreams | OpenAI, Anthropic, Google (Vertex AI), Together AI, DeepInfra, Groq | Routed LLM and model inference |
| Compute upstreams | RunPod, Lambda Labs, Vast.ai, hyperscalers as partner enrolments complete (AWS, Azure, Google Cloud, Oracle Cloud) | GPU pod and CPU sandbox provisioning |
| Hosting / edge | Cloudflare, Fly.io | Frontend hosting, API edge, DNS, CDN, edge compute |
| Data storage | Supabase (managed PostgreSQL), Cloudflare D1 | Account, billing, and usage records |
| Observability | Provider built-in metrics and logs | Service monitoring |
| Transactional email | Resend | Receipts, password reset, security and policy notices |
| Mailbox | Fastmail | Inbound business email |
Customers may request a current signed sub-processor list with subscription-to-changes notification at security@hypersave.ai.
Acceptable Use Policy
Use of the Service is subject to the following AUP. Prohibited workloads include but are not limited to:
- Child sexual abuse material (CSAM) generation, hosting, or distribution
- Weapons targeting, weapons development for use against persons, or chemical/biological weapons development
- Mass surveillance against identifiable populations
- Election interference, including coordinated inauthentic behaviour and political-system manipulation
- Generation of credentials, phishing payloads, or malware targeting third parties
- Hate speech, harassment, or content inciting real-world violence against identifiable groups
- Workloads that violate the terms of an upstream provider in a way that would be detected on a reasonable review
Hypersave may suspend an account on reasonable belief of AUP violation, pending review.
Vulnerability disclosure
We welcome security research. Report suspected vulnerabilities to security@hypersave.ai. We commit to:
- Acknowledge receipt within 2 business days
- Provide initial triage within 5 business days
- Not pursue legal action against good-faith researchers acting within the scope below
Scope. All Hypersave-operated services on hypersave.ai and its subdomains. Out of scope. Upstream provider infrastructure, third-party services, social engineering of Hypersave personnel, and denial-of-service attacks.
Abuse reports
To report Service abuse by another Hypersave customer (spam, malware, prohibited content), contact abuse@hypersave.ai with sufficient detail (timestamp, observed behaviour, evidence) for us to investigate.
Contact
General security questions, security review requests, or to request our compliance questionnaire responses: security@hypersave.ai.