A formal, attachable summary of H33's security controls for enterprise procurement, vendor risk review, and contract exhibits. This document states what H33 protects, how, and where the underlying evidence can be obtained or independently verified.
This Security Exhibit describes the administrative, technical, and physical safeguards H33.ai, Inc. ("H33") applies to customer data processed through its platform and APIs. It is intended to accompany a Master Services Agreement, Data Processing Agreement, or vendor security questionnaire. It summarizes — and does not supersede — the controls evidenced in H33's ISO 27001 program, SOC 2 program, and the documents available through the Trust Center. Where this Exhibit and an executed agreement differ, the agreement governs.
H33 processes only the data necessary to deliver the contracted service. Customer data is classified, inventoried, and labeled under a documented asset-management procedure covering all production datastores, object storage, and compute. Sensitive fields are encrypted at origin so that, wherever the workload permits, H33 verifies and processes data without exposing plaintext on shared infrastructure. Data is logically segregated by customer, and retention and deletion follow contractual terms, including GDPR Right-to-Erasure handling through data masking and deletion capabilities.
H33 applies post-quantum cryptography as a default, not an upgrade path:
H33 engages a limited set of sub-processors under written data-processing terms and conducts third-party risk assessments. The current list is maintained in the Trust Center.
| Cloud infrastructure | Amazon Web Services — compute, storage, KMS, managed databases (US regions) |
| Payments | Stripe — billing and payment processing |
| Communications | Twilio — transactional messaging |
| Identity | Auth1 — authentication services |
| Compliance automation | Drata — continuous control monitoring and evidence collection |
Access to production systems and customer data follows least-privilege and is governed by IAM policy with enforced MFA, 14-character password minimums, and 90-day rotation. Cryptographic operations use role-based, time-bounded grants. Production, staging, and development environments are fully isolated, and changes reach production only through reviewed, approval-gated merge requests with branch protection. Personnel are subject to confidentiality obligations and security awareness requirements; access is provisioned on a need-to-know basis and revoked promptly on role change or separation.
H33 maintains two multi-region, KMS-encrypted CloudTrail trails, VPC flow logs across all VPCs, GuardDuty threat detection, Amazon Inspector vulnerability scanning, and AWS Config continuous recording. Application-level audit logs are immutable. Fourteen CIS-benchmark alarms provide automated detection with SNS-based real-time alerting. IAM Access Analyzer continuously monitors for unintended external access.
H33 maintains a documented incident-response plan with severity classification, defined escalation paths, and real-time alerting. In the event of a security incident affecting customer data, H33 will notify affected customers without undue delay in accordance with the executed agreement and applicable law, and will provide the information reasonably necessary for the customer to meet its own notification obligations. Post-incident review and remediation tracking are part of the standard process.
Production databases run Multi-AZ with automated daily backups, KMS-encrypted snapshots, and point-in-time recovery. Disaster-recovery procedures are documented and maintained. Infrastructure is distributed to tolerate availability-zone failure without data loss.
H33 operates a SOC 2 program (in progress) with continuous monitoring through Drata against 114+ controls, and is pursuing ISO 27001:2022 certification. AWS Security Hub assesses posture against the CIS AWS Foundations Benchmark. Compliance artifacts — including SOC 2, HIPAA, GDPR, and PCI-DSS documentation and 215+ supporting records — are available under NDA through the Trust Center. Customer security assessments and questionnaires are supported on request.
Beyond conventional attestations, H33's authorization proofs and attestations can be verified offline by the customer using the open Verifier CLI, with no dependency on H33 systems. This allows a customer's own auditors to confirm the integrity of authorization and audit records directly, rather than relying solely on H33's representations.
| Legal entity | H33.ai, Inc. |
| Hosting | Amazon Web Services, United States regions |
| Encryption at rest | AES-256-GCM (AWS KMS, annual rotation) |
| Encryption in transit | TLS 1.2/1.3 with ML-KEM-1024 key encapsulation |
| Signatures | ML-DSA (Dilithium, FIPS 204); SLH-DSA fallback |
| Compliance | SOC 2 (in progress) · ISO 27001:2022 (in progress) · HIPAA · GDPR · PCI-DSS |
| Breach notification | Without undue delay, per executed agreement and applicable law |
| Security contact | support@h33.ai |