BenchmarksH33 FHEH33 ZKAPIsPricingPQCTokenDocsBlogAboutSecurity Demo
Log InGet API Key

Security Exhibit

Last updated: February 10, 2026

This Security Exhibit ("Exhibit") describes H33's baseline security measures for the Services and Customer's corresponding responsibilities under the Terms. Capitalized terms not defined here have the meanings in the Terms (and the DPA, if applicable).

1. Scope and Principles

1.1 Scope

This Exhibit applies to the cloud Services offered by H33 (including APIs, dashboards, and hosted components) and H33's management of Customer Data within H33's systems. This Exhibit addresses security controls for H33-managed systems and does not describe or guarantee the security of third-party networks (including blockchain networks) or Customer Wallet/key custody.

1.2 Shared Responsibility

Security is a shared responsibility. H33 is responsible for security of the Services and H33-managed infrastructure. Customer is responsible for security of the Customer Application, Customer environments, End User devices, credential management, and all required notices/consents and lawful bases for processing.

1.3 Design Intent Regarding Sensitive Inputs

The Services are designed to support privacy-preserving authentication workflows, including processing of biometric-related inputs in encrypted form depending on the architecture/module selected and Customer's integration choices. Customer remains responsible for determining what data it submits and for configuring the Services consistent with applicable law and Customer's risk posture.

1.4 No Additional Commitments

This Exhibit is descriptive and does not create warranties or SLAs. Any additional security commitments must be expressly agreed in an Order Form or addendum signed by H33.

2. H33 Security Controls

H33 maintains a security program with administrative, technical, and organizational safeguards aligned to common industry practices for SaaS/API services. Measures include:

2.1 Governance and Risk Management

  • Documented security policies covering access control, secure development, incident response, change management, and vendor risk (appropriate to company stage and the Services offered).
  • Periodic risk review and prioritization of remediation based on severity and likelihood.

2.2 Identity and Access Management

  • Principle of least privilege for administrative access.
  • Role-based access controls for internal systems where applicable.
  • Multi-factor authentication (MFA) for privileged access where supported by the identity provider.
  • Access provisioning/deprovisioning procedures (including removal of access upon role changes/termination).

2.3 Data Protection and Encryption

  • Encryption in transit using industry-standard TLS for supported endpoints.
  • Encryption at rest for H33-managed storage where supported by underlying infrastructure.
  • Separation of production and non-production environments where practical.
  • Logical isolation controls intended to prevent cross-customer access.

2.4 Secure Development Lifecycle

  • Secure coding practices and code review.
  • Use of automated testing and validation processes appropriate for the Services (e.g., unit/integration tests, dependency monitoring).
  • Change control procedures for production releases (including rollback capability where feasible).

2.5 Logging and Monitoring

  • Monitoring for service availability, performance, and anomalous activity.
  • Logging of relevant operational events for security and troubleshooting, subject to configured retention periods and legal constraints.
  • Abuse detection and automated controls (e.g., throttling, blocking, credential revocation) as needed to protect the Services.

2.6 Vulnerability Management

  • Processes to identify and remediate vulnerabilities, including dependency updates and patching.
  • Severity-based remediation prioritization.
  • Optional coordination with external testing as the program matures (as available).

2.7 Business Continuity and Backups

  • Operational measures intended to support service continuity and recovery.
  • Backups and recovery procedures where applicable to H33-managed components, subject to technical constraints and the nature of the Services.

2.8 Subprocessors / Service Providers

  • Use of reputable third-party service providers (e.g., cloud infrastructure) where needed to deliver the Services.
  • H33 maintains appropriate written terms with relevant providers consistent with the nature of the services provided, which may include confidentiality and security commitments and, where applicable, data protection terms.
  • Customer acknowledges that certain providers may offer services under standardized terms.

2.9 Personnel Security and Training

  • Confidentiality obligations for personnel with access to Confidential Information.
  • Security awareness measures appropriate to role and access level.

3. Customer Security Responsibilities

Customer is responsible for:

3.1 Customer Application Security

Securing the Customer Application, including its infrastructure, authentication flows, configuration, and access control.

3.2 Credential Management

  • Protecting API keys and credentials (secure storage, rotation, least privilege).
  • Preventing credential sharing, embedding secrets in client-side code, or exposing keys in public repositories.
  • Implementing appropriate request authentication and replay protections as recommended in Documentation.

3.3 Endpoint and Network Security

  • Securing Customer endpoints and environments connecting to the Services.
  • Implementing firewalling and network controls appropriate to the integration.

3.4 End User Notices/Consents and Compliance

  • Providing required biometric/privacy notices and obtaining required consents and written releases where applicable.
  • Maintaining required retention schedules and deletion workflows for data Customer collects or stores.

3.5 Usage Monitoring and Abuse Controls

  • Monitoring for abnormal usage, compromised credentials, or unauthorized access in Customer systems.
  • Promptly suspending/revoking credentials if compromise is suspected.

3.6 Lawful Data Submission

  • Submitting only data Customer is authorized to process and submit under law and the Terms.
  • Not submitting PHI unless a BAA is executed (per the Terms).

4. Security Incident Response and Notification

4.1 Security Incident Definition

"Security Incident" has the meaning in the Terms (and the DPA, if applicable). Security Incidents do not include unsuccessful attempts or events that do not result in unauthorized access to Customer Data.

4.2 Notification

If H33 becomes aware of a Security Incident, H33 will notify Customer consistent with the DPA (if applicable) or, if no DPA applies, within a commercially reasonable time after confirmation. Notifications will be sent to Customer's designated security/contact email on file (or account admin contact).

4.3 Information and Cooperation

H33 will provide information reasonably necessary for Customer to meet its regulatory obligations, consistent with law and security needs, and will cooperate commercially reasonably with Customer's investigation.

4.4 Customer Responsibilities

Customer is responsible for:

  • Determining whether notice to End Users, regulators, or others is required (unless the DPA allocates responsibilities differently);
  • Providing legally required notices; and
  • Costs associated with Customer notifications and mitigation, subject to any mandatory allocation under law and any express allocation in an Order Form or DPA.

5. Vulnerability Reporting

5.1 Reporting Channel

Security issues should be reported to security@h33.ai.

5.2 Responsible Disclosure

Customer and third parties must not publicly disclose vulnerabilities until H33 has had a reasonable opportunity to investigate and remediate, unless disclosure is required by law.

5.3 No Exploitation

Customer must not exploit vulnerabilities, access data not intended for Customer, or disrupt the Services while testing or reporting.

6. Security Assessments; Questionnaires; Audit Requests

6.1 Baseline Materials

Upon reasonable request (and subject to confidentiality), H33 may provide then-current security summaries and/or third-party reports if available (e.g., SOC 2).

6.2 Limits

Unless expressly agreed in an Order Form:

  • Customer has no audit rights except to the extent (if any) expressly set forth in an executed DPA or an Order Form signed by H33.
  • H33 does not support on-site audits.
  • Extensive questionnaires, bespoke attestations, special logging exports, or additional security cooperation may be provided only at H33's discretion and may be subject to fees and scheduling.

6.3 Confidentiality of Security Materials

Security reports, assessments, questionnaires, responses, and related security communications are H33 Confidential Information and may not be shared externally without H33's prior written consent.

7. Data Location; Retention; Deletion

7.1 Data Location

Customer Data may be processed and stored in the United States and other jurisdictions where H33 or its service providers operate, subject to the DPA (if applicable) and the Terms.

7.2 Retention

H33 retains Customer Data and logs as described in the Terms, Documentation, and any applicable DPA, subject to legal holds and technical constraints.

7.3 Deletion

Upon termination and consistent with the Terms/DPA, H33 will delete Customer Data in accordance with documented retention/deletion practices, subject to legally required retention and backup limitations.

8. Changes to this Exhibit

H33 may update this Exhibit from time to time. Updates are effective when posted (or as otherwise stated). If H33 materially reduces protections described in this Exhibit, H33 will use commercially reasonable efforts to provide notice to Customers with active paid accounts.

9. Security Contacts

Contact Information