HiddenLayer is the leading provider of Security for AI. Its security platform helps enterprises safeguard the machine learning models behind their most important products. HiddenLayer is the only company to offer turnkey security for AI that does not add unnecessary complexity to models and does not require access to raw data and algorithms. Founded by a team with deep roots in security and ML, HiddenLayer aims to protect enterprise’s AI from inference, bypass, extraction attacks, and model theft. The company is backed by a group of strategic investors, including M12, Microsoft’s Venture Fund, Moore Strategic Ventures, Booz Allen Ventures, IBM Ventures, and Capital One Ventures.
HiddenLayer is committed to safeguarding our customers’ data and ensuring the utmost confidentiality through our operational practices. We constantly strive to exceed industry standards and employ best practices that prioritize the protection of sensitive information through our data, systems and confidentiality processes.
Service Organization Control 2 (SOC 2)
Type II Compliant
SOC 2 stands as the gold standard in reporting, established by the American Institute of Certified Public Accountants (AICPA) and held in high regard by both customers and their third-party auditors. Within a SOC 2 report, the controls of a service organization’s offerings are thoroughly examined, with a particular focus on key pillars such as security, availability, processing integrity, confidentiality, and privacy.
HiddenLayer, Inc. and our Machine Learning Detection & Response System has met SOC 2 Type II standards regarding the suitability of the design and operation effectiveness of its controls relevant to security, availability and confidentiality.
DATA SECURITY
- Data at Rest: All data stores containing customer data, along with S3 buckets, are encryption at rest. This advanced encryption ensures that your data is shielded before it enters our databases. This means that neither physical access nor logical access to the database can compromise the confidentiality of your most sensitive information.
- Data in Transit: We utilize TLS 1.2 or higher across all data transmitted over potentially insecure networks. Additionally, we employ Virtual Private Networks (VPNs) to maximize the security of our data in transit. Server TLS keys and certificates, managed by AWS, are deployed through Application Load Balancers, ensuring robust protection.
- Secret Management: Our encryption keys are managed using the AWS Key Management System (KMS), stored within Hardware Security Modules (HSMs). This approach prevents any direct access by any individuals, including Amazon and Vanta employees.The keys stored in HSMs are used for encryption and decryption via Amazon’s KMS APIs. Application secrets are securely encrypted and stored via AWS Secrets Manager and Parameter Store, and access to these values is strictly limited.
SYSTEM SECURITY
- User Authorization: Our system is designed with features and configurations that control user access, limiting access to only the information necessary for each of our employee’s roles.
- Intrusion Detection: To protect against security attacks originating outside of the boundaries of our system, we deploy intrusion detection systems that actively prevent and identify potential threats.
- Vulnerability Scans and Penetration Tests: We conduct regular vulnerability scans over the system and network, and penetration tests over the production environment.
- Incident Management: Regular vulnerability scans over the system and network, and penetration tests over the production environment.
- Encryption Technologies: Encryption technologies are employed both at rest and in transit to protect customer data.
- Use of Data Retention and Data Disposal
- Uptime Availability of Production Systems
CONFIDENTIALITY
- Encryption Technologies: Utilization of encryption technologies to protect system data both at rest and in transit.
- Confidentiality Agreements: Our employees, contractors, and third parties are bound by confidentiality and non-disclosure agreements.
- Confidential Information: Only used for the purposes explicitly stated in agreements between HiddenLayer and user entities.
- Availability Commitments include, but are not limited to:
- System performance and availability monitoring mechanisms to help ensure the consistent delivery of the system and its components.
- Responding to customer requests in a reasonably timely manner.
- Business continuity and disaster recovery plans that include detailed instructions, recovery point objectives (RPOs), recovery time objectives (RTOs), roles, and responsibilities.
- Operational procedures supporting the achievement of availability commitments to user entities.
To report a vulnerability, please contact us at [email protected].
For more information, see our Vulnerability Disclosure Policy.