humanOShumanOS

Security at humanOS

Your data powers your optimization — and protecting it is our highest priority. Enterprise-grade security built into every layer of the platform.

🔒AES-256 Encryption
SOC 2 Compliant
99.9% Uptime SLA
🇪🇺GDPR Ready

Our Commitment

Security isn't a feature — it's the foundation everything else is built on.

humanOS processes some of the most personal data imaginable — your daily schedules, energy patterns, goals, health metrics, and life priorities. We understand the weight of that responsibility.

Our security program is designed around the principle of defense in depth: multiple overlapping layers of protection so that no single point of failure can compromise your data. From the way we encrypt your information, to how our AI models process it, to how our team accesses infrastructure — every decision is made with security as the primary consideration.

We hold ourselves to the same standards expected of enterprise software, because your personal data deserves nothing less.

Data Encryption

Your data is encrypted at every stage — in motion and at rest.

Encryption in Transit

All data transmitted between your device and our servers is protected using the latest security protocols.

  • TLS 1.3 for all connections — older protocols are disabled
  • HTTP Strict Transport Security (HSTS) enforced
  • Certificate pinning for mobile applications
  • Perfect Forward Secrecy (PFS) ensuring past sessions stay protected

Encryption at Rest

All stored data — including your schedules, preferences, and AI models — is encrypted using industry-leading standards.

  • AES-256 encryption for all database records and file storage
  • Encryption keys managed via dedicated key management service (KMS)
  • Automatic key rotation on a regular schedule
  • Encrypted backups stored in geographically separate regions

Infrastructure Security

Built on battle-tested cloud infrastructure with multiple layers of protection.

Cloud Infrastructure

Hosted on SOC 2 Type II compliant cloud providers with ISO 27001 certification, physical security controls, and 24/7 monitoring.

High Availability

99.9% uptime SLA backed by redundant systems, automatic failover, load balancing, and multi-region backup replication.

Network Security

Web Application Firewall (WAF), DDoS protection, network segmentation, and intrusion detection systems protect against external threats.

Database Security

PostgreSQL databases run in private subnets with no public access. All queries are parameterized to prevent SQL injection.

Logging & Monitoring

Comprehensive audit logging, real-time alerting, and anomaly detection across all infrastructure components and application layers.

Disaster Recovery

Automated daily backups with point-in-time recovery. Disaster recovery plan tested quarterly with documented recovery time objectives.

Authentication & Access Control

Multiple layers of identity verification and access management protect your account.

User Authentication

Secure Password Handling

Passwords are hashed using bcrypt with unique salts. We never store plaintext passwords and enforce minimum complexity requirements.

JWT Session Management

Sessions are managed via signed JWT tokens with short expiry (24 hours), stored in httpOnly secure cookies to prevent XSS theft.

Multi-Factor Authentication

MFA support via authenticator apps (TOTP) adds a second layer of protection beyond your password. Available on all plan tiers.

Session Controls

View active sessions, revoke access from any device, and receive alerts for sign-ins from unrecognized locations or devices.

Internal Access Control

Principle of Least Privilege

Team members only have access to the systems and data necessary for their role. All access is reviewed quarterly.

Role-Based Access Control (RBAC)

Granular permissions ensure that engineering, support, and operations teams have appropriate but limited access scopes.

Audit Trail

Every access to production systems and user data is logged with timestamps, action details, and the identity of the accessor.

Background Checks

All employees with access to production infrastructure undergo background checks and sign confidentiality agreements.

AI Model Security

How your data is handled within our AI processing pipeline — with isolation and privacy at every step.

Per-User Data Isolation

Your personal optimization model is completely isolated from other users. No user can access or influence another user's data or AI recommendations.

No Cross-User Training

Your individual data is never used to train AI models for other users. Only fully anonymized, aggregated data (which cannot be linked back to you) may be used to improve platform-wide algorithms.

Secure Processing Environment

AI model inference runs in isolated compute environments with no persistent storage of intermediate results. Processing data is discarded after recommendations are generated.

Input Validation & Sanitization

All data entering AI processing pipelines is validated and sanitized to prevent prompt injection, data poisoning, and other AI-specific attack vectors.

Model Versioning & Rollback

AI models are versioned and monitored for accuracy and safety. If anomalies are detected, we can immediately roll back to a previous stable version.

Audits & Compliance

Regular testing, industry certifications, and regulatory compliance keep our security posture strong.

Security Testing

  • Penetration Testing

    Annual third-party penetration tests conducted by independent security firms, with remediation tracked to completion.

  • Vulnerability Scanning

    Automated scanning runs continuously across our application and infrastructure, with critical findings addressed within 24 hours.

  • Code Reviews

    All code changes undergo mandatory peer review with security-focused checklists before deployment to production.

  • Dependency Auditing

    Third-party dependencies are continuously monitored for known vulnerabilities and updated promptly.

Certifications & Compliance

  • SOC 2 Type II

    Our infrastructure providers maintain SOC 2 Type II certification. humanOS is pursuing its own SOC 2 certification.

  • GDPR

    We comply with the EU General Data Protection Regulation, including data subject rights, lawful processing, and data protection impact assessments.

  • CCPA

    We comply with the California Consumer Privacy Act, including the right to know, delete, and opt out of data sales.

  • OWASP Top 10

    Our development practices are aligned with OWASP guidelines to protect against the most critical web application security risks.

Incident Response

A clear, tested plan for detecting, containing, and communicating security incidents.

1

Detection & Triage

Automated monitoring and alerting systems detect anomalies in real time. On-call engineers assess severity within 15 minutes of an alert.

2

Containment

The incident response team isolates affected systems to prevent further impact. Affected services are secured before investigation proceeds.

3

Investigation & Resolution

Root cause analysis identifies the source and scope of the incident. Fixes are developed, tested, and deployed with urgency proportional to severity.

4

Notification

Affected users are notified within 72 hours of confirmed data breaches, as required by GDPR and applicable law. We provide clear details about what happened and what actions users should take.

5

Post-Incident Review

Every incident results in a post-mortem review. Findings are documented, preventive measures are implemented, and the incident response plan is updated accordingly.

Responsible Disclosure

We welcome security researchers who help us keep humanOS safe.

If you discover a security vulnerability in humanOS, we ask that you disclose it responsibly by contacting us at security@humanos.ai. Please include:

  • A detailed description of the vulnerability and its potential impact.
  • Steps to reproduce the issue (proof of concept if possible).
  • Your contact information for follow-up questions.

Our commitment to you:

  • We will acknowledge your report within 2 business days.
  • We will provide a timeline for resolution and keep you informed of progress.
  • We will not pursue legal action against researchers acting in good faith.
  • We will credit you publicly (with your permission) once the issue is resolved.

Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it. We are working toward establishing a formal bug bounty program — stay tuned for updates.

Data Retention & Deletion

You stay in control of your data throughout its lifecycle.

Active Account

Your data is retained as long as your account is active. You can export or delete specific data at any time through your account settings.

Account Deletion

When you delete your account, all personal data and AI optimization models are permanently deleted within 30 days. Backups are purged within 90 days.

Legal Retention

Certain data (e.g., billing records) may be retained as required by law. This data is minimal and stored separately from your account data.

For full details, see our Privacy Policy.

Security Inquiries

Have security questions or need to report a concern? We're here to help.

Security Reports
security@humanos.ai
Privacy Inquiries
privacy@humanos.ai
General Support
support@humanos.ai
Contact Us