Security & Policy

Learn how Hexamind Platform protects customer data and how vulnerability reporting and coordinated response are handled.

Security Architecture

As a security SaaS platform, Hexamind applies isolation, data protection, and auditability as core design principles.

Customer Data Protection

Projects and analysis results are isolated per organization. The platform is designed so that data from one organization cannot be mixed with or accessed by another.

All data uploaded to the platform is stored securely, with protection measures applied according to data sensitivity.

Tenant-scoped isolation

Protected data storage

Protected analysis results

Access by authorized scope

Data Used for AI Analysis

Supply chain analysis data only: the system focuses on SBOMs, component inventories, versions, licenses, and vulnerability identifiers.

Personal data is excluded from the AI analysis scope: information such as names, email addresses, and contact details is not part of the analysis dataset.

Full internal system details are not the default analysis scope: the platform aims to use the minimum information needed for supply chain judgment.

Hexamind AI is designed to help teams understand software supply chain risk, not to inspect people or unrelated organizational activity.

Audit Logs

Audit logs are a core control mechanism in the Hexamind Platform security framework. They satisfy the accountability requirements of information security certifications such as ISMS-P and ISO 27001, and serve as evidence for post-incident analysis and root cause identification.

Audit logs provide continuous verification that access control policies are being upheld within the organization, and are maintained in a form that can be produced for both internal audits and external regulatory reviews without delay.

Data Protection Principles for Analysis

This section summarizes the core principles Hexamind AI follows when handling analysis data.

Source code is not stored as a long-term raw corpus: the focus is on SBOMs and component metadata needed for judgment.

Artifacts are stored securely: uploaded files and analysis results are accessible only to authorized users within the owning organization.

Supply chain analysis data is the core input: component inventories, versions, licenses, and vulnerability identifiers drive the analysis.

Personal and broad organizational data are excluded: the service is not intended to analyze people or unrelated enterprise data.

Because open source usage itself is part of regulatory and assurance scope, SBOMs and audit trails become meaningful evidence.

Summary

Hexamind AI is centered on open source inventories and supply chain analysis data. It is designed to avoid treating full source code, personal data, or broad organizational secrets as analysis targets.

Vulnerability Disclosure Policy

If you discover a security issue in Hexamind Platform, please report it responsibly.

How to Report a Vulnerability

Please report vulnerabilities to [email protected].

In Scope

Security vulnerabilities found in Hexamind Platform itself, whether encountered through normal usage or during authorized evaluation, are within scope. All evaluation activity must remain within the bounds of applicable law and the platform terms of service.

Legal Notice and Prohibited Conduct

Any activity conducted under the guise of security research that involves (1) unauthorized access to user data, accounts, or systems, (2) intentional disruption or damage to services, or (3) exploitation, unauthorized disclosure, or sale of discovered vulnerabilities may constitute a criminal offense under the Act on Promotion of Information and Communications Network Utilization and Information Protection, the Criminal Act, and other applicable laws. Hexamind will report suspected unauthorized access to law enforcement without delay and will pursue all available civil and criminal remedies.

Compliance

Regulations