Skip to content

Security & compliance

This page states what Hekkos actually does today — the same honesty rules as the rest of the site. Questions or anything unclear: info@hekkos.com.

Tenant isolation

  • Every database query is scoped to your organization — a hard invariant validated by cross-org integration tests. Chat, MCP tools, and search never see another tenant’s content.
  • Retrieval additionally respects per-document access controls; repos can be excluded from the knowledge index entirely (exclude_from_knowledge in .hekkos.yml).
  • Staff access is the single sanctioned exception: read-only “view as” sessions on short-lived tokens where every write is rejected, and every operator action is audit-logged.

What Hekkos can touch — and what it can’t

  • The GitHub App requests least-privilege permissions: repository contents (read), pull requests (write — the suggestion PRs), commit statuses (write — the opt-in merge gate), metadata and members (read), email addresses (read — login identity). Nothing else.
  • Analysis is static: Hekkos reads what’s committed in your repos. It never connects to your running services, databases, or cloud accounts.
  • Suggest-only: every change Hekkos proposes arrives as a pull request your team reviews and merges. Nothing is committed on your behalf.

Encryption & platform security

  • Stored secrets (API keys, OAuth client secrets) are encrypted with AES-256-GCM; keys are write-only — never returned by any API — and decrypted only in memory.
  • Webhooks (GitHub, Stripe) are signature-verified (HMAC) before any payload is processed. Sessions use httpOnly cookies; there are no passwords.
  • Sign-in is GitHub OAuth, or OIDC SSO (Okta, Azure AD, Google Workspace) on Enterprise.

Data handling & retention

  • Your content stays org-scoped and is never pooled or used for training without your explicit consent. Any cross-org export capability is restricted to operators and audit-logged.
  • Secrets are scrubbed from anything Hekkos stores (token patterns, keys, high-entropy strings). Scrubbing is best-effort secret-redaction — treat it as defense in depth, not a guarantee.
  • Stored content expires automatically after 180 days.
  • Self-serve data export (secret-free JSON) and org deletion (full purge, typed-name confirmation) are built into the dashboard — no support ticket needed.

Security testing

  • An adversarial security review (five independent passes) covered injection, tenant isolation, webhook authentication, cryptography, OAuth/OIDC flows, and secret handling; the issues it found were fixed and re-verified.
  • The authorization surface is exercised end-to-end by an automated test suite against a real running server, including cross-org isolation assertions; the backend test suite runs race-detected in CI.
  • Found something? Report it privately — see Support — with SECURITY in the subject. We acknowledge within one business day and ask that you don’t open public issues for security reports.

Self-hosting: the strongest guarantee

For organizations that can’t send code anywhere: run Hekkos on your own infrastructure with a local model. Air-gap friendly, license verified offline, no phone-home — nothing leaves your environment. See the self-hosted install guide.

Compliance status — honestly

We do not yet hold formal certifications (SOC 2, ISO 27001), and we won’t claim badges we haven’t earned. What we offer instead is everything above, plus: a DPA, self-serve export and deletion, 180-day content expiry, and the self-hosted option that keeps your data entirely under your control. If your procurement process needs specific answers, email info@hekkos.com — we answer security questionnaires directly.