← Back to Hivek

Security

Last updated: June 10, 2026

Our Commitment

At Hivek, security is foundational to everything we build. As an AI infrastructure company, we understand that our clients trust us with sensitive business data, AI models, and critical workflows. We take that responsibility seriously.

Infrastructure Security

Data in Transit

All data transmitted between clients and our systems is encrypted using TLS 1.2 or higher. Our API endpoints enforce HTTPS exclusively — plaintext HTTP connections are automatically redirected.

Data at Rest

Sensitive data stored in our databases and file systems is encrypted at rest. Database credentials, API keys, and secrets are managed through environment variables and are never stored in source code.

Server Infrastructure

  • Dedicated server infrastructure with restricted access.
  • Firewall rules configured to allow only necessary traffic.
  • SSH access restricted by key-based authentication — password authentication is disabled.
  • Regular security updates and patch management.
  • Process isolation: services run under dedicated, least-privilege system users.

Application Security

Authentication & Authorization

  • JWT-based authentication with configurable token expiration.
  • Role-based access control (RBAC) for administrative interfaces.
  • Password hashing using industry-standard algorithms (bcrypt).
  • Secure password reset flows with time-limited, single-use tokens.

Input Validation & Protection

  • Server-side input validation and sanitization on all API endpoints.
  • Protection against common web vulnerabilities: SQL injection, XSS, CSRF.
  • Rate limiting on authentication endpoints to prevent brute-force attacks.
  • CORS policies configured to allow only authorized origins.

AI & Agent Security

Building AI infrastructure introduces unique security considerations. Our approach includes:

  • Prompt injection defense: input filtering and output validation on all agent interactions to prevent adversarial prompt manipulation.
  • Data isolation: client data is logically separated. Agents operate within the boundaries of their assigned context and cannot access data from other clients.
  • Human-in-the-loop: critical agent actions require human approval before execution, preventing unintended consequences.
  • Audit logging: all agent actions, decisions, and data accesses are logged for transparency and forensic review.
  • Model access controls: API keys to LLM providers are scoped and rotated regularly. We do not store model provider credentials alongside application data.

Development Practices

  • Code review required for all changes before deployment.
  • Automated CI/CD pipelines with build validation.
  • Dependency scanning and regular updates to address known vulnerabilities.
  • Secrets are never committed to version control — environment-based configuration only.
  • Principle of least privilege applied to all system and service accounts.

Incident Response

In the event of a security incident, our process includes:

  1. Detection and containment: identify and isolate affected systems immediately.
  2. Assessment: determine the scope, impact, and root cause.
  3. Notification: inform affected clients within 72 hours of confirmed data exposure, in compliance with Mexican data protection law (LFPDPPP).
  4. Remediation: fix the vulnerability, restore affected services, and implement preventive measures.
  5. Post-mortem: document findings and update security practices accordingly.

Responsible Disclosure

If you discover a security vulnerability on our website or systems, we appreciate your help in disclosing it responsibly. Please report it to contact@hivek.tech with:

  • A description of the vulnerability and its potential impact.
  • Steps to reproduce the issue.
  • Your contact information for follow-up.

We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to address it. We will acknowledge your report within 48 hours and work with you to resolve it.

Compliance

Our security practices are aligned with:

  • LFPDPPP: Mexico's Federal Law on Protection of Personal Data Held by Private Parties.
  • OWASP Top 10: industry-standard web application security risks.
  • Industry best practices for cloud infrastructure and AI system security.

Contact

For security-related questions or to report a vulnerability: