Trust & security
Built for the questions procurement asks
Hydra is operated by a small team. Smaller doesn't mean looser — every privileged change is logged, every tenant is isolated at the database layer, and every subprocessor is listed below.
Last updated May 15, 2026
Security posture
The controls in place today.
Encryption in transit and at rest
All traffic to and from Hydra is served over TLS 1.2+. Data at rest in Supabase is encrypted with AES-256 using provider-managed keys.
Tenant isolation
Every row in every table is tagged with a tenant_id. PostgreSQL row-level security enforces isolation at the database layer — application bugs cannot cross tenants.
Two-factor authentication
TOTP 2FA is available for all dashboard users. Owners can require it tenant-wide; users without an enrolled factor are routed to enrollment before they can reach the dashboard.
Admin audit log
Every privileged mutation — invites, role changes, channel and bot configuration, API-key minting, MFA-policy changes, data exports — is recorded with actor, timestamp, IP, and a structured diff. The log is append-only and surfaced inside each tenant.
Scoped API keys
Programmatic access uses tenant-scoped bearer keys with explicit scopes (read, write, knowledge:write, etc.). Keys are hashed at rest, displayed once on creation, and revocable from the dashboard.
Least-privilege access
Hydra staff access to production is limited to the platform operator and gated by per-service authentication. Customer data is never accessed except for explicit support requests, and access is logged.
Subprocessors
Third-party services that may process tenant data on Hydra's behalf. We notify tenants 30 days in advance of adding a new subprocessor.
| Name | Purpose | Region |
|---|---|---|
| Supabase | Primary database, authentication, file storage | US (AWS us-east-1) |
| Vercel | Application hosting and serverless functions | US + global edge |
| Anthropic | Claude language model for bot replies and AI features | US |
| Voyage AI | Embeddings for knowledge-base search | US |
| Resend | Outbound transactional email | US |
| Firecrawl | Web scraping for knowledge ingestion (when a tenant adds a URL) | US |
| Cloudflare | DNS, inbound email routing for support@ aliases | Global edge |
Data handling
What we store, how AI features use it, and how to get it out.
- What we store
- Conversations, tickets, contacts, accounts, knowledge sources, agent users, configuration, and audit logs. Stored in Supabase (Postgres + Object Storage) in the US region.
- How AI features use data
- When a bot replies, the relevant conversation and retrieved knowledge chunks are sent to Anthropic for inference. Anthropic does not train on data submitted via the API. Embeddings for knowledge search are generated by Voyage AI and stored as vectors in Supabase pgvector.
- Data export
- Tenant admins can export all contacts (CSV or JSON), all conversations with messages and replies (JSON), or a single contact and their full history (JSON / GDPR subject-access). Available from Settings → Data.
- Data deletion
- Tenants can delete their own records inside the dashboard. On account termination, all tenant data is removed within 30 days. Backups roll off within 30 days of the original deletion.
- Logs and metadata
- Operational logs are retained for 30 days. Audit logs are retained for the lifetime of the tenant.
Incident response
How we communicate when something goes wrong.
- Notification commitment
- For confirmed security incidents that affect tenant data, we notify affected tenants by email within 24 hours of confirmation. Initial notice may precede full root-cause analysis.
- How to report
- Email security@hydra-help.com. We acknowledge within one business day. Vulnerability reports are handled in good faith — we do not pursue legal action against good-faith security research.
Compliance & certifications
- SOC 2 Type II
- In progress. Hydra is preparing for SOC 2 Type II audit. We publish observation-window dates and the auditor name once the engagement begins. Bridge letters and the final report will be available under NDA on request.
- GDPR
- Hydra acts as a processor for tenant data. Our Data Processing Addendum is linked below and is incorporated by reference into the Terms of Service. Subject-access requests are supported via the per-contact data export in Settings → Data.
- HIPAA, FedRAMP, ISO 27001
- Not in scope today. If your use case requires any of these, email security@hydra-help.com so we can scope the requirement.