Legal / Compliance

Compliance.

How Hydrate handles security, data, and regulatory obligations. Written for procurement teams, InfoSec reviewers, and enterprise customers. Not a marketing summary. Specific, honest, and versioned.

Last updated: 2026-04-24 · Sedasoft Ltd, United Kingdom

Hydrate is local-first. For Free and Pro tiers, all data stays on your machine. No cloud sync, no Sedasoft server seeing your session content. The compliance surface for most users is very small, mainly BYOK API key hygiene with your chosen LLM provider. Enterprise (SiteEngine AI) runs on your infrastructure. Sedasoft does not hold your session data.

Documentation index

EU AI Act

Exhaustive tier-by-tier assessment under Regulation (EU) 2024/1689. Risk classification, Article 5 prohibited practices, Article 50 transparency obligations, GDPR interface, and customer obligations.

Last reviewed 2026-04-24 · Covers Articles 5, 50, Annex III, GDPR Art.22

Privacy & AI Transparency

What Hydrate processes, why, for how long, and where it goes. Covers data controller / processor roles by tier, GDPR data subject rights, and the exact AI systems involved.

Covers UK GDPR, EU GDPR, GDPR Art.13/14

Security Policy

Access control, credential management, dependency patching, responsible disclosure, secrets scrubbing in session capture, and physical security. Covers the baseline controls for the product and its infrastructure.

Covers SOC2 CC1, CC2 · Version 1.0

Data Handling

Data flow diagrams for Free/Pro and Enterprise tiers. Data classification schema (Public → Restricted), retention periods, GDPR Art.30 records of processing, and the third-party APIs that touch user data.

Covers SOC2 P2, GDPR Art.30 · Version 1.0

Incident Response

P1-P4 severity classification, five-step response procedure, GDPR 72-hour regulatory notification obligations, user notification templates, and the incident log format.

Covers SOC2 CC7, GDPR Art.33/34 · Version 1.0

Vendor Risk

DPA status, sub-processor lists, breach notification SLAs, and risk ratings for OpenAI, Anthropic, Cloudflare, and GitHub. Payment processor assessment pending vendor selection.

Covers SOC2 CC8 · Annual review cadence

Risk Assessment

Seven risks assessed on likelihood × impact. Secrets in transcripts, prompt injection, SSRF via BYOK endpoint, supply chain, unauthorised API access, data retention, and EU AI Act reclassification. Mitigations and residual scores documented.

Covers SOC2 CC3, EU AI Act Art.9 · Version 1.0

Access Review

Who has access to production infrastructure, GitHub, secrets, and the Cloudflare account. Quarterly review procedure, least-privilege verification, offboarding trigger, and credential rotation schedule.

Covers SOC2 CC5 · Quarterly cadence

Contact

For procurement reviews, Data Processing Agreements, or specific compliance questions:

[email protected]: legal and compliance
[email protected]: enterprise sales and pre-sales
[email protected]: responsible disclosure

These documents are Sedasoft's good-faith interpretation of applicable regulations. They do not constitute legal advice. Enterprise customers with specific regulatory requirements should obtain independent legal advice from qualified counsel.