Software and Third-Party Libraries Inventory
Effective: March 17, 2026 · DCF-708
1. Purpose
This document establishes H33.ai's Software Bill of Materials (SBOM) and third-party library inventory in accordance with ISO 27001 A.5.9 (Inventory of Information and Other Associated Assets). Maintaining a complete and current inventory of all software components is essential for vulnerability management, license compliance, and supply chain security.
H33.ai develops its core cryptographic engine in Rust with zero external AI dependencies. All third-party libraries are vetted for security, license compatibility, and maintenance status before inclusion in the production codebase.
2. Inventory Methodology
H33.ai maintains its software inventory through automated and manual processes:
- Automated scanning:
cargo auditis executed on every CI/CD pipeline run to detect known vulnerabilities in Rust dependencies against the RustSec Advisory Database. - Dependency tree analysis:
cargo treegenerates a complete transitive dependency graph, reviewed quarterly for unexpected or unnecessary inclusions. - Lock file tracking:
Cargo.lockis committed to version control, ensuring reproducible builds and a precise record of every dependency version in production. - Quarterly manual review: The CISO reviews the full dependency list each quarter, verifying that all libraries remain actively maintained, properly licensed, and free of known vulnerabilities.
3. Core Platform Dependencies (Rust)
The following table lists the primary dependencies used in the H33 cryptographic engine. All dependencies are sourced from crates.io and pinned to specific versions via Cargo.lock.
| rand (0.8.x) | Cryptographically secure pseudo-random number generation (CSPRNG). Used for key generation, noise sampling, and nonce generation across all FHE and PQC operations. |
| sha3 (0.10.x) | SHA3-256 hashing. Used for STARK proof commitments, ZKP challenge generation, and integrity verification throughout the authentication pipeline. |
| aes-gcm (0.10.x) | AES-256-GCM authenticated encryption. Used in OCR encrypt/decrypt operations and hybrid encryption schemes (Kyber + AES-256-GCM). |
| rayon (1.x) | Data parallelism library. Powers parallel NTT computation across moduli during FHE encrypt operations, enabling multi-core utilization on Graviton4 (96 workers). |
| dashmap (5.x) | Concurrent hash map. Used for in-process ZKP STARK proof caching (0.059 µs lookups), replacing TCP-based cache with 44x performance improvement. |
| serde (1.x) | Serialization/deserialization framework. Used for structured data handling across API boundaries and configuration management. |
| serde_json (1.x) | JSON serialization. Used for API request/response handling and structured logging output. |
| pqcrypto-dilithium | ML-DSA (Dilithium) post-quantum digital signatures. Used for batch attestation (1 sign+verify per 32-user batch) in the production authentication pipeline. |
| pqcrypto-kyber | ML-KEM (Kyber) post-quantum key encapsulation. Used for hybrid key exchange in OCR encryption and secure channel establishment. |
| criterion (dev only) | Benchmarking framework. Used exclusively in development and CI for performance regression testing. Not included in production builds. |
4. Auth1 Dependencies (Node.js)
Auth1, H33's authentication-as-a-service subsidiary, runs on Node.js. Its dependency inventory is managed separately but included in H33's overall SBOM for audit purposes.
| Node.js (LTS) | Runtime environment. Currently on the active LTS release, updated within 30 days of new LTS versions. |
| Express | HTTP server framework. Handles API routing for authentication endpoints. |
| pg (PostgreSQL driver) | Database connectivity to RDS PostgreSQL for tenant, user, and session management. |
| ioredis (Redis client) | Connection to ElastiCache Redis for session caching and rate limiting. |
| jsonwebtoken | JWT generation and verification for authentication tokens. |
| bcrypt | Password hashing with configurable work factor. |
| twilio SDK | SMS OTP delivery via Twilio Messaging Service (primary) with AWS SNS failover. |
5. Infrastructure Services
The following third-party services are integrated into H33's production infrastructure. Each service is evaluated for SOC 2 compliance, data handling practices, and business continuity capabilities.
| AWS | Primary cloud provider. Services: EC2 (Graviton4 c8g.metal-48xl compute), RDS PostgreSQL (database), ElastiCache Redis (caching), Elastic Beanstalk (Auth1 hosting), CloudFront (CDN), ACM (TLS certificates), Secrets Manager (credential storage), S3 (log archival), CloudTrail (API audit logging). |
| GitLab | Source control and CI/CD pipeline. Hosts all H33 and Auth1 repositories with merge request-based workflow, automated testing, and secret detection scanning. |
| DataDog | Infrastructure monitoring, application performance monitoring (APM), log aggregation, and alerting. Monitors NTP sync, CPU utilization, memory, and network metrics across all production instances. |
| Drata | Compliance automation platform. Automated evidence collection for SOC 2 and ISO 27001 controls, continuous monitoring, and audit readiness. |
| Microsoft 365 | Corporate email and productivity suite with HIPAA security package. Includes Microsoft Defender for Endpoint, audit logging, and data loss prevention (DLP). |
| Netlify | Static site hosting and CDN for h33.ai marketing site, documentation, and compliance pages. |
| Stripe | Payment processing for credit-based billing. PCI DSS Level 1 certified. No cardholder data stored on H33 infrastructure. |
| Twilio | SMS delivery for OTP-based authentication. Used by Auth1 for multi-factor authentication across all tenants. |
6. Vulnerability Management
H33.ai employs a layered approach to vulnerability management across its software supply chain:
- Rust dependencies:
cargo auditis executed on every CI pipeline run. Any advisory with a severity of "medium" or above blocks the pipeline until resolved. The RustSec Advisory Database is the authoritative source for Rust ecosystem vulnerabilities. - Node.js dependencies (Auth1): Dependabot is configured on the Auth1 GitLab repository to automatically create merge requests for dependency updates when vulnerabilities are disclosed.
- Infrastructure services: AWS shared responsibility model applies. AWS manages patching of managed services (RDS, ElastiCache, EB platform). H33 manages OS-level patching on EC2 instances used for benchmarking.
- Zero-day response: Critical vulnerabilities (CVSS 9.0+) are assessed within 24 hours and patched within 72 hours. The CISO is notified immediately via DataDog alerting integration.
7. License Compliance
All dependencies are reviewed for license compatibility before inclusion in the codebase. H33.ai permits the following open-source licenses:
- MIT License — Permissive, compatible with commercial use
- Apache License 2.0 — Permissive, includes patent grant
- BSD (2-clause and 3-clause) — Permissive, compatible with commercial use
- ISC License — Functionally equivalent to MIT
Copyleft licenses (GPL, LGPL, AGPL) are prohibited in production dependencies without explicit CISO approval and legal review. License compliance is verified during the quarterly dependency review.
8. Review Schedule
- Continuous:
cargo auditon every CI pipeline run - Quarterly: Full dependency review by CISO (dependency versions, maintenance status, license compliance, transitive dependency audit)
- On dependency update: Any new dependency or major version upgrade requires security review and license verification before merge
- Annual: Comprehensive SBOM audit as part of SOC 2 and ISO 27001 audit cycles
Questions?
Contact the Security Officer at security@h33.ai or the Compliance team at compliance@h33.ai.
H33.ai, Inc. · 11533 Brighton Knoll Loop, Riverview, FL 33579 · 813-464-0945