Security at Hopx

Hopx provides secure, isolated runtimes for AI agents and software execution using Firecracker micro-VMs. Security is built into our architecture (compute isolation, strict network policies), our SDLC (secure development lifecycle), and our operations (continuous monitoring, incident response, and third-party audits).

SOC 2 — independent assessment of security, availability, and confidentiality controls over an evaluation period.

ISO/IEC 27001 — certified Information Security Management System (ISMS) covering people, processes, and technology.

ISO 9001:2015 — certified Quality Management System (QMS) for consistent service delivery and continual improvement.

Copies of certificates or bridge letters are available under NDA upon request: security@hopx.ai.

Encryption in transit: TLS 1.2+ everywhere; HSTS on public endpoints.

Encryption at rest: Customer data and logs are encrypted at rest using industry-standard ciphers.

Key management: Managed KMS with strict access controls and audit trails; periodic key rotation.

Secrets management: Service credentials and API keys are stored in a dedicated secrets manager with least-privilege access and rotation policies.

Secure SDLC: Threat modeling for new features, security requirements in product specs, mandatory code review.

Automated scanning: Static analysis (SAST), dependency checks (SBOM and CVE monitoring), and container/micro-VM image scanning.

Change management: CI/CD with signed artifacts, approvals, and environment separation (dev/stage/prod).

Configuration hardening: Security baselines and guardrails enforced by policy.

Compute isolation: Each sandbox runs inside a Firecracker micro-VM for kernel-level isolation (stronger than containers).

Network controls: Segmented VPCs, security groups/ACLs, optional egress controls per sandbox, and WAF/CDN protection on public surfaces.

Multi-region: Low-latency regional deployment (see status page) with per-region isolation; customers may choose regions for execution and data.

Hardening: Minimal host surface area, immutable images for hosts where feasible, principle of least privilege across infra.

(We host on leading cloud providers and leverage their certified data centers and platform controls.)

Customer auth: Support for SSO (e.g., OIDC/SAML) and enforced MFA for privileged actions (where configured).

Roles & permissions: Fine-grained RBAC for projects, APIs, and runtime operations (create/pause/resume/snapshot).

Internal access: Just-in-time elevation, least-privilege IAM, short-lived credentials, and mandatory MFA for staff.

Audit logs: Administrative and runtime actions (create/execute/snapshot/pause), authentication events, API usage.

Observability: Centralized metrics, logs, and traces with automated alerts on anomalies and policy violations.

Detection & response: Playbooks for triage, escalation, containment, forensics, and post-incident review.

Vuln management: Continuous scanning of images, libraries, and hosts with SLA-based remediation by severity.

Penetration testing: Regular third-party tests covering external and (scoped) internal surfaces; executive summary available upon request.

Patch cadence: Critical security patches may be deployed immediately; routine updates follow change-control windows.

Backups: Encrypted backups of control-plane data with tested restores.

Redundancy: Highly available control plane; regional failover where applicable.

RTO/RPO: Target objectives are documented internally; specific enterprise SLAs available on qualifying plans.

Residency: Execute and store data in the region(s) you select where supported.

Retention: Operational and security logs retained per policy (typically 12–36 months); billing records per statutory requirements.

Deletion: Customer Content inside sandboxes is deleted per your instructions, lifecycle settings, or upon account closure after a standard grace period.

Security is a partnership:

Hopx responsibilities: platform security, infrastructure hardening, isolation, encryption, monitoring, and certified processes.

Customer responsibilities: secure use of API keys, correct permissioning (RBAC), safe code and dependencies, and lawful, compliant workload configurations (e.g., network egress, data handling).

We use carefully vetted subprocessors (infrastructure, monitoring, email, support). The current list and locations is maintained at: https://hopx.ai/legal/subprocessors. We provide prior notice of material changes as set out in our DPA.

We value collaboration with security researchers.

Scope

All Hopx production services and APIs under hopx.ai and associated subdomains (excluding purely marketing sites with no sensitive data).

How to report

Email security@hopx.ai with a clear description, affected endpoints, reproduction steps, and any proof-of-concept. Please include the IPs, timestamps, and tools used where possible. We will acknowledge receipt within 7 business days.

Safe harbor

We will not pursue legal action for good-faith research that:

• avoids privacy violations, service degradation, data destruction, and unlawful access;
• limits testing to your own accounts or accounts with explicit permission;
• immediately reports discovered PII/secrets to us, ceases testing, and permanently deletes any copies.

Please do not:

• Perform DoS/DDoS, spam, or resource-exhaustion attacks;
• Social-engineer our staff or customers;
• Access, modify, or exfiltrate data you do not own;
• Target physical facilities or 3rd-party providers outside our control.

Disclosure

Allow us reasonable time to remediate before any public disclosure. We'll keep you updated on progress and can provide recognition (non-monetary) where appropriate.

Security: security@hopx.ai

Privacy: privacy@hopx.ai

Status page: https://status.hopx.ai

Certificates & reports (under NDA): security@hopx.ai