Security Practices

1. Cryptography

• API path: TLS 1.3 minimum.
• Data at rest: AES-256-GCM with per-tenant data-encryption keys wrapped under a per-tenant key-encryption key. Hive plan and above support customer-managed keys (CMK).
• Key rotation: at most 90-day cadence for tenant DEKs; KEKs every 12 months or on personnel-departure trigger.

2. Identity, authentication, and access

• Customer authentication: email/password, OAuth (Google, GitHub, Microsoft), SSO/SAML on Hive+. MFA available for all tiers; required for Hive+ admins.
• Operator authentication: hardware-backed FIDO2 (WebAuthn) is the only path to production access. No long-lived static credentials in production.
• Operator access: just-in-time, audited, time-bounded, with a written reason. Reviewed quarterly.

3. Secrets and key management

Production secrets are stored in dedicated secret managers (per-environment), never in source control. CI uses short-lived OIDC-issued credentials. Secret-scanning runs on every push to detect accidental disclosure.

4. Vulnerability management

• Dependency scanning runs on every CI build (npm, pip).
• Static analysis (SAST) runs on every change set.
• External penetration tests performed at least annually for production cloud surfaces; remediation timelines: critical 7 days, high 30 days, medium 90 days.
• Bug bounty / responsible-disclosure program runs via the security inbox; safe-harbour terms published.

5. Logging, monitoring, and audit

Authentication events, admin actions, and material data accesses are logged centrally; logs are tamper-evident and retained per the Privacy Policy. Workspace audit logs (Hive+) are exposed to customers.

6. Incident response

• On-call coverage 24/7 via the operations team.
• Severity classification: SEV-1 (customer impact, data exposure), SEV-2 (degraded service), SEV-3 (single-tenant impact), SEV-4 (no customer impact).
• Customer notification of data breaches within 72 hours of confirmation. Public post-mortems for SEV-1 within 14 days.

7. Personnel

Background checks where permitted by local law. Annual security-awareness training. Confidentiality obligations survive termination. Production access removed within 1 hour of role change.

8. Physical security

Production workloads run on Modal serverless infrastructure (primary inference) and on AWS Singapore (data plane). HuggingFace hosts model cards and dataset metadata only — no live workloads. We rely on the host providers' physical-security controls, which include 24/7 staffed perimeters, multi-factor access, and CCTV.

9. Vendor management

Sub-processors are listed in Schedule A of the DPA. We assess each for SOC 2 / ISO 27001 / equivalent attestations, data-protection terms, and termination provisions before onboarding. Material changes go through the changelog with at least 14 days' notice.

10. Vulnerability disclosure

Reach us at bee-security@cuilabs.io. We acknowledge within 24 hours and aim to remediate critical vulnerabilities within 7 days. RFC 9116 contact published at /.well-known/security.txt. PGP key on request. We commit not to pursue legal action against good-faith researchers.

11. Attestations

Parent CUI Labs (Pte.) Ltd. holds CSA STAR Level 1; ISO 27001 track in progress. SOC 2 Type II is on the 2026 roadmap. Procurement-grade evidence available under NDA via the security address.