Legal / Compliance

Security policy.

The minimum security standards for Hydrate products and the infrastructure that supports them. Written to be short enough to actually read.

Version 1.0 · Effective: 2026-04-24 · Next review: 2027-04-24 · Owner: Seamus Waldron · Covers: SOC2 CC1, CC2

1. Access control

Named access only

Production infrastructure (Mac Mini, Cloudflare, GitHub) is accessible only to named individuals with a documented need. No shared accounts.

Least privilege

Roles grant only the permissions required for the task. Read-only collaborators do not get admin rights.

Quarterly review

Access is reviewed at the end of each quarter. See Access Review for the full procedure.

Offboarding

Accounts of former contributors are revoked within 24 hours of departure. Credentials they had access to are rotated.

2. Credential and key management

Storage

API keys, signing certificates, and service credentials are stored in 1Password (team vault) or as GitHub encrypted secrets. Never committed to source control.

Rotation

API keys rotated annually or immediately on suspected compromise. Signing certificates rotated per their validity period. Any credential believed compromised is rotated within one hour.

Key generation

Code signing and GPG keys are generated on a dedicated machine where practical. Key material is not stored on shared systems.

Session scrubbing

The internal/scrubber package redacts common secret patterns, including AWS keys, OpenAI and Anthropic API keys, GitHub tokens, Stripe keys, Google API keys, Slack tokens, PEM blocks, and DSN passwords, from captured Claude Code session data before any storage or LLM processing. This prevents accidental capture of developer credentials.

3. Patch and dependency policy

CI scanning

Go dependencies are scanned with govulncheck on every CI run. Known vulnerabilities block release unless formally risk-accepted with a written rationale.

Critical CVEs

CVSS ≥ 9.0 patched within 7 days of disclosure. High CVEs (CVSS 7.0-8.9) patched within 30 days.

Infrastructure

OS and Docker base images on the Mac Mini are updated monthly. Container images are rebuilt from updated bases and redeployed.

4. Responsible disclosure

External security researchers report vulnerabilities to [email protected] (also published in /.well-known/security.txt). We acknowledge within 48 hours and provide a substantive response within 10 business days. We do not take legal action against researchers acting in good faith and following coordinated disclosure. CVSS score and timeline are agreed with the reporter before public disclosure.

Internal incidents follow the Incident Response Plan.

5. Data handling

User data is handled according to the data classification and retention schedules documented in Data Handling. Session transcripts and extracted facts are classified Restricted. They are not shared with third parties except as described in the Privacy Policy, specifically session narrative text sent to the user's configured LLM provider for extraction (Pro tier only, with the user's own API key).

The secrets scrubber runs before any LLM call. No secret patterns are knowingly transmitted to third-party APIs.

6. Physical security

Developer devices

Development work is conducted on personal devices with full-disk encryption enabled (macOS FileVault). Devices are locked when unattended.

Production server

The Mac Mini production server is located in a physically secured, access-controlled location. Remote access requires Tailscale with device authentication; SSH is not exposed to the public internet.

7. Exceptions

Exceptions to this policy require written approval from Seamus Waldron, documented in the incident log with a time-bound expiry and a compensating control. No open-ended exceptions are permitted.

Contact

[email protected]: responsible disclosure
[email protected]: compliance enquiries