Security & Policy

Learn how Hexamind Platform protects customer data and how vulnerability reporting and coordinated response are handled.

Security Architecture

As a security SaaS platform, Hexamind applies isolation, data protection, and auditability as core design principles.

Customer Data Protection

Analyzed software and derived artifacts are managed in isolated customer contexts so they are not mixed with projects or outputs from other organizations.

Uploaded artifacts, SBOMs, and reports are stored in protected storage layers, and sensitive data can be handled with additional controls according to policy.

Tenant-scoped isolation

Protected data storage

Protected analysis results

Access by authorized scope

Data Used for AI Analysis

Supply chain analysis data only: the system focuses on SBOMs, component inventories, versions, licenses, and vulnerability identifiers.

Personal data is excluded from the AI analysis scope: information such as names, email addresses, and contact details is not part of the analysis dataset.

Full internal system details are not the default analysis scope: the platform aims to use the minimum information needed for supply chain judgment.

Hexamind AI is designed to help teams understand software supply chain risk, not to inspect people or unrelated organizational activity.

Audit Logs

Key platform actions are recorded in a way that supports security and compliance audit. This makes it possible to review who did what and when, after the fact.

Creation

projects, artifacts, and analysis jobs

Changes

status transitions and configuration updates

Deletion

removal of key resources

Sharing and exports

reports, artifacts, and share link operations

Data Protection Principles for Analysis

This section summarizes the core principles Hexamind AI follows when handling analysis data.

Source code is not stored as a long-term raw corpus: the focus is on SBOMs and component metadata needed for judgment.

Artifacts are stored in protected locations: uploaded files and analysis results are managed in protected storage.

Supply chain analysis data is the core input: component inventories, versions, licenses, and vulnerability identifiers drive the analysis.

Personal and broad organizational data are excluded: the service is not intended to analyze people or unrelated enterprise data.

Because open source usage itself is part of regulatory and assurance scope, SBOMs and audit trails become meaningful evidence.

Summary

Hexamind AI is centered on open source inventories and supply chain analysis data. It is designed to avoid treating full source code, personal data, or broad organizational secrets as analysis targets.

Vulnerability Disclosure Policy

If you discover a security issue in Hexamind Platform, please report it responsibly.

How to Report a Vulnerability

Please report vulnerabilities to [email protected].

In Scope

• Hexamind Platform web application

• API endpoints

• TrustBOM public verification pages

• Authentication issues

Out of Scope

• Denial-of-service activity

• Social engineering attacks

• Already-disclosed third-party issues

• Test-only environment misconfigurations

Response Process

Acknowledgement:

confirm receipt and assign ownership

Validation:

verify the issue internally and assess severity

Remediation:

develop and deploy a fix

Disclosure:

publish details after patching is complete

Responsible Reporting Expectations

Please avoid accessing other users’ data, intentionally disrupting services, or exploiting the issue during testing.

Compliance

Regulations