Proof Lab
StartEcosystemResearchExplore (579)Live Systems (52)Pricing
Log InGet API Key✓ Verify It Yourself
Cryptographic Substrate · Verifiable Posture

Security at H33 is verifiable, not asserted.

Every claim on this page is backed by a receipt, a verifier, or a signed artifact you can independently confirm. We don't ask you to trust us. We give you the tools to check.

The security posture in one paragraph

What H33's security actually is.

H33 is a cryptographic substrate that turns every decision — accepted, rejected, hostile — into a portable, post-quantum-signed receipt. The receipt is verifiable offline by anyone, including someone who has never had an account with H33. Three independent post-quantum signature families sign every artifact: ML-DSA-65, FALCON-512, and SLH-DSA-SHA2-128f. A break in one does not break the receipt. The verifier is open. The receipt format is open. The conformance corpus is open. The story works whether or not H33 the company continues to exist.

That is the load-bearing claim. Everything else on this page is consequences and details.

Cryptographic guarantees

What the substrate guarantees, with mechanism.

Decision integrity

Every API decision emits a signed receipt. Accepted requests get a receipt. Rejected requests get a receipt. Hostile requests get a receipt. The signature binds the decision to the policy version, identity, time, and inputs.

Post-quantum durability

Three independent signature families with independent hardness assumptions: lattice (ML-DSA), NTRU lattice (FALCON), hash-based (SLH-DSA). The receipt verifies cleanly under any one of the three. Two breaks would be needed to compromise.

Vendor-independent verification

The verifier is open. It does not need to call H33. It does not need an H33 account. It works offline. If H33 disappears in 2030, the receipt your system produced in 2026 still verifies in 2034.

Tamper evidence

Any change to a signed artifact invalidates the signature. The verifier reports VERIFIED or NOT VERIFIED with the failure mode named. No partial trust.

Replay determinism

A receipt-bound decision can be replayed against the same inputs and policy version and reproduce the same outcome. Disputes collapse to facts.

Continuous evidence

HATS produces a continuous attestation stream of control state. Replaces annual questionnaires and sampled audit with verifiable, time-stamped, receipt-bound evidence.

Compliance posture

Where we are with each framework.

FrameworkStatus
SOC 2 Type IIIn audit · Drata-managed evidence collection
ISO 27001:2022In audit · 14-domain Annex A mapping. Details
HIPAAArchitecturally aligned via FHE-based encrypted processing. BAA available on request
PCI DSSArchitecturally aligned. Details
GDPRDPA available. EU-data residency on Sovereign tier
NIST FIPS 203/204/205ML-KEM-768, ML-DSA-65, SLH-DSA aligned. Details
FedRAMPReady for sponsoring agency
FedNowReceipt-bound transaction support. Details
Verify it yourself

How to confirm any claim above.

The single test that distinguishes H33's security from competitor security claims: can you verify this without trusting us? For each claim, here's how.

Threat model and limits

What H33 does and does not protect against.

Honest threat modeling matters more than aspirational language. Here's what the substrate protects, what it bounds, and what it does not protect against.

See the substrate in production.

Receipts emitted on every decision. Verification independent. Three signature families active. Hit the API or talk to us.

Verify it yourself Talk to security

Security · FAQ

What cryptography does H33 use?

NIST-standardized post-quantum algorithms — ML-KEM (Kyber, FIPS 203) for key encapsulation and ML-DSA (Dilithium, FIPS 204) for signatures — alongside AES-256-GCM for symmetric encryption, plus FHE and zero-knowledge proofs for computing over encrypted data. KMS keys rotate automatically each year.

Does H33 ever see customer plaintext?

Sensitive fields are encrypted at origin with field-level and fully homomorphic encryption, so H33 can verify and process data without exposing plaintext on shared infrastructure.

Is H33 SOC 2 or ISO 27001 certified?

H33 runs a SOC 2 program (in progress) with continuous monitoring through Drata and is pursuing ISO 27001:2022. Evidence is collected continuously against 114+ controls. See the ISO 27001 and SOC 2 pages for detail.

How can I independently verify H33's claims?

Authorization proofs and attestations verify offline with the open Verifier CLI, with no dependency on H33's systems. For formal procurement review, request the Security Exhibit.