ISMS Scope Statement
ISO 27001 Clause 4.3 — Effective: March 8, 2026
Document ID: H33-ISMS-SCOPE-001
Classification: Internal / Auditor-Accessible
Owner: Eric Beans, CEO / CISO
Approved: March 8, 2026
Next Review: March 2027
1. Organization Context
H33.ai, Inc. ("H33") is a post-quantum cryptographic technology company that provides authentication, document validation, and cross-bank fraud intelligence services. H33 develops and operates proprietary Fully Homomorphic Encryption (FHE), Zero-Knowledge Proof (ZKP), and post-quantum cryptographic (PQC) engines used by banks, fintech companies, government agencies, and healthcare organizations to secure sensitive data and transactions.
H33's core technology stack is built in Rust and delivers post-quantum security via NIST FIPS 203 (ML-KEM / Kyber), FIPS 204 (ML-DSA / Dilithium), and FIPS 205 (SLH-DSA / SPHINCS+). The organization operates cloud-hosted infrastructure on Amazon Web Services (AWS) in the us-east-1 region.
2. Scope Definition
The Information Security Management System (ISMS) encompasses the following systems, services, and processes:
| Component | Description | Technology |
|---|---|---|
| H33 Cryptographic Engine | BFV/CKKS FHE, ZKP STARK lookups, Dilithium/Kyber/SPHINCS+ operations | Rust |
| Auth1 Authentication Microservice | Multi-tenant authentication platform (OTP, session management, billing) | Node.js |
| H33-Vault | Document validation platform with FHE-encrypted processing | Rust + Node.js |
| H33-Share | Cross-bank fraud intelligence network with encrypted data sharing | Rust + Node.js |
| AWS Infrastructure | EC2, RDS PostgreSQL, ElastiCache Redis, CloudFront CDN, Elastic Beanstalk, S3, CloudTrail | AWS us-east-1 |
| Web Properties | h33.ai marketing site, documentation, developer portal | HTML/JS, Netlify |
| Organizational Processes | HR, vendor management, change management, incident response, business continuity | Policy-based |
3. Boundaries
3.1 Physical Boundaries
All production infrastructure is hosted in AWS us-east-1 data centers (Northern Virginia). AWS data centers are SOC 2 Type II and ISO 27001 certified. H33 does not operate on-premises data centers. Employee workstations and development environments are covered by endpoint security policies.
3.2 Logical Boundaries
- Network: VPC 10.0.0.0/16 with public and private subnet segregation
- Compute: EC2 instances in private subnets, accessible only via Application Load Balancer
- Data: RDS PostgreSQL and ElastiCache Redis in private subnets, no public accessibility
- CDN: CloudFront distribution for static assets and edge caching
- Monitoring: CloudTrail, CloudWatch, and Drata continuous compliance monitoring
3.3 Organizational Boundaries
- All H33 full-time employees
- All contractors and consultants with access to H33 systems or data
- Third-party service providers with access to H33 infrastructure (covered by vendor agreements)
4. Exclusions
The following are explicitly excluded from the ISMS scope:
- Customer-side integrations: Client applications, client-managed infrastructure, and customer endpoint devices that consume H33 APIs
- Third-party services beyond API boundaries: Stripe payment processing (PCI DSS certified independently), Twilio SMS delivery (SOC 2 certified independently), Netlify CDN hosting (SOC 2 certified independently)
- Solana blockchain operations: On-chain token transactions, validator nodes, and DeFi integrations
- Open-source consumer tools: Publicly available developer tools and libraries that do not process customer data
Each exclusion is justified by the absence of direct organizational control over the excluded component, or by the component falling outside the scope of information security risk to H33's core services.
5. Interfaces and Dependencies
The ISMS interacts with the following external entities and services:
| Interface | Direction | Data Flow | Security Controls |
|---|---|---|---|
| AWS Services | Bidirectional | Infrastructure management, data storage, logging | IAM, VPC, encryption at rest/transit, CloudTrail |
| Netlify CDN | Outbound | Static site deployment, edge caching | TLS 1.2+, deploy tokens, branch protection |
| Auth1 Tenants | Inbound | Authentication requests, OTP delivery, session tokens | API key authentication, rate limiting, TLS |
| Stripe Payments | Outbound | Payment processing, subscription management, webhooks | Stripe API keys (server-side only), webhook signatures |
| Twilio SMS | Outbound | OTP delivery, transactional notifications | Account SID + Auth Token, TLS, rate limiting |
| GitLab CI/CD | Bidirectional | Source code, build artifacts, deployment pipelines | SSH keys, deploy tokens, branch protection, MFA |
| Drata | Inbound | Compliance evidence collection, control monitoring | OAuth integration, read-only access, audit logging |
6. Interested Parties
The following interested parties have been identified, along with their requirements relevant to information security:
| Interested Party | Requirements / Expectations |
|---|---|
| Customers (banks, fintech, government, healthcare) | Confidentiality of data, service availability, regulatory compliance (HIPAA, PCI, SOC 2), post-quantum security assurance |
| Regulators (NIST, financial authorities, HHS) | Compliance with applicable laws and standards (NIST FIPS, HIPAA, state privacy laws), audit cooperation |
| Employees and Contractors | Clear security policies, training, safe reporting channels, privacy of personal data |
| Auditors (SOC 2, ISO 27001) | Evidence of control implementation, access to documentation, management commitment |
| Business Partners (AWS, Stripe, Twilio) | Adherence to shared responsibility models, secure integration practices |
| Investors and Board | Risk management, business continuity, reputational protection |
7. Document Review
This ISMS Scope Statement is reviewed and approved annually by the CEO/CISO, or more frequently when significant changes occur to the organization, its services, or the threat landscape.
| Version | Date | Author | Change Description |
|---|---|---|---|
| 1.0 | March 8, 2026 | Eric Beans | Initial ISMS scope statement |
Next scheduled review: March 2027
Questions about this policy?
Contact our Security team at security@h33.ai