H
HLOS Docs

Security Model

How HLOS keeps your secrets safe

View as Markdown

Security is the foundation of HLOS. Every design decision prioritizes keeping your API keys and credentials protected, from storage to access to AI integration.

The HLOS Security Guarantee

Your secrets are encrypted, access-controlled, and never exposed to AI. When you use HLOS with AI assistants like Cursor or Claude, the AI sees secret metadata—names, providers, rotation status—but never the actual values.

Security Features

End-to-End Encryption

All secrets are encrypted using AES-256-GCM before storage. We use Google Secret Manager as the underlying vault, which provides hardware security module (HSM) backed key management.

Zero-Value Exposure for AI

Our MCP integration is designed so AI assistants can help manage secrets without ever seeing the actual values. The AI sees metadata, names, and providers—never plaintext secrets.

Rotation Tracking

Set rotation policies per secret. HLOS tracks key age and alerts you when secrets are overdue for rotation, helping you maintain security hygiene automatically.

Team Scopes & RBAC

Role-based access control lets you define who can view, edit, or manage secrets. Scopes (development, staging, production) further restrict access by environment.

Audit Logging

Every access to every secret is logged. See who accessed what, when, and from where. Export logs for compliance reviews or security audits.

SOC 2 Type II (Roadmap)

We are working toward SOC 2 Type II certification to provide enterprise-grade attestation of our security controls and practices.

Encryption Details

  • AES-256-GCM encryption at rest
  • TLS 1.3 encryption in transit
  • Keys managed by Google Cloud KMS (FIPS 140-2 Level 3)
  • Secret values never stored in logs or analytics
  • Automatic key rotation in the underlying vault

Bring Your Own Keys (BYOK)

HLOS supports two modes: using our managed provider accounts or bringing your own API keys. With BYOK, you maintain full control over your provider relationships while getting HLOS's security, sync, and AI integration benefits.

  • Store your own API keys securely in HLOS
  • Use your existing provider accounts
  • No markup on API usage—just platform fee
  • Keys never leave your vault until runtime injection

Access Control Model

Roles

  • Owner — Full access, can delete spaces and manage billing
  • Admin — Manage secrets, users, and settings
  • Member — View and use secrets within authorized scopes
  • Viewer — Read-only access to secret metadata

Scopes

  • Development — Local dev and testing
  • Staging — Pre-production environments
  • Production — Live systems (strictest access)

Questions?

Security is an ongoing commitment. If you have questions about our security practices, need custom compliance documentation, or want to discuss enterprise requirements, we're here to help.

Contact Security Team