Trust Center

3.1 Data Encryption

At Rest

• AES-256 encryption for all data at rest
• Applies to databases, object storage, logs, and AI interaction records
• Cloud-native encryption mechanisms
• Controlled key management

In Transit

• TLS 1.3 for all data in transit
• User access, API traffic, and internal service-to-service communication

Data Integrity

• SHA-512 hashing for data integrity verification
• Tamper-resistant security and audit logs
• Integrity controls for AI execution traces and audit data

3.2 Access Control

Authentication

• Mandatory MFA for internal users and customers
• Password policies aligned with globally recognized security frameworks
• Scoped API access tokens

Authorization

• Role-Based Access Control (RBAC)
• Supports Admin, Security Engineer, Read-only/Auditor roles
• Granular permissions

Enterprise Identity

• Enterprise SSO (SAML/OIDC) on roadmap
• Can be enabled for regulated customers upon request

Session Security

• Automatic session timeout
• IP-based anomaly detection
• Concurrent session limits
• Full session logging

3.3 Network Security

Connectivity

• Site-to-site IPSec VPN
• Private networking/VPC peering
• Restricted public exposure by default

Perimeter & Application

• WAF for web and APIs
• Geo-blocking capabilities
• Network segmentation
• Centralized internal logging system

Availability

• Cloud-native DDoS protection (Cloudflare)
• Rate limiting
• Auto-scaling under attack conditions

3.4 AI/ML Security

Customer Data & AI

• Customer data never used for model training
• Dedicated/isolated model usage
• Prompt/response isolation between tenants

AI Interaction Logging

• All AI actions logged
• Full prompt→decision→output traceability
• Audit trails available upon request

Agentic Security Layer

• Internal AI agents analyze platform/security logs
• Automated anomaly detection with escalation
• Human-in-the-loop validation

3.5 Operational Security

Third-Party Pentesting

• Annual third-party penetration testing
• Scope includes platform, infrastructure, and APIs
• Executive summaries available upon request under NDA via [email protected]

Continuous Security

• Continuous vulnerability scanning
• Patch/update management
• Secure SDLC
• SelfHack continuously tests its own platform

Monitoring & Incident Response

• 24/7 infrastructure and security monitoring
• Internal monitoring and response
• Documented incident response playbooks

3.6 Compliance & Auditability

Compliance

• GDPR compliant
• ISO 27001-aligned controls (in progress)
• SOC 2-aligned controls (in progress)
• NIS2 readiness (in progress)

Customer Audits

• Audit support upon request
• Evidence sharing under NDA
• Support for customer security questionnaires

Data Residency Controls

• Customer-selected region
• EU-only enforcement available
• Contractual guarantees via DPA