Security at Hive Civilization

SOC 2 Type 1 — Audit Engaged HONEST CURRENT STATE

What is true today: Hive Civilization has signed a SOC 2 Type 1 audit engagement letter. The engagement letter is available on request under a mutual NDA to qualified prospects. The underlying controls inventory below is implemented and operational. Hive does not yet hold an AICPA SOC 2 report, and Vanta has not yet been deployed as the continuous controls monitoring platform.

What is planned: SOC 2 Type 1 report targeted Q4 2026. ISO 27001 alignment targeted 2027. We will not represent a certification as held until the independent auditor issues the opinion letter.

See our self-attested SOC 2 controls inventory → — AICPA TSC 2017 mirrored line by line with our control implementations, evidence references, and a Beyond-SOC-2 addendum covering controls SOC 2 does not measure.

Audit Engagement Signed

AICPA SOC 2 Report Q4 2026 Target

ISO 27001 2026 Alignment

Cryptography FIPS 203/204 Aligned

Engagement Letter On Request / NDA

Controls Inventory

Implemented security controls.

Thirty-two controls across six domains. These are operational today, not scheduled. Evidence is available for review under NDA as part of the SOC 2 engagement package.

8 controls

Access Control

Multi-factor authentication required on all production systems and admin tooling, enforced at identity provider level
SSO via Google Workspace; no password-only logins permitted on covered systems
Role-based access control; least-privilege principle applied at service and data-tier boundary
Vendor credentials bound to specific service identities; no shared credentials across services per-vendor
Cryptographic key rotation on a 90-day maximum cycle; keys not rotated within the window are automatically invalidated 90d
Hardware security key (FIDO2/WebAuthn) required for administrative access to production Hivemorph admin panel
Session timeout enforced: 4 hours inactive, 12 hours absolute; re-authentication required 4h idle
IP allowlist on Hivemorph admin; access from unregistered network ranges is blocked at the CDN layer before reaching origin

6 controls

Cryptography

Ed25519 + ML-DSA-65 hybrid signing scheme; classical and post-quantum signatures issued in parallel during transition period
FIPS 203 (ML-KEM-768) and FIPS 204 (ML-DSA-65) aligned implementation; NIST ACVP self-test suite passes on every deployment
TLS 1.3 only on all external-facing endpoints; TLS 1.2 and below rejected at the Cloudflare edge TLS 1.3
HTTP Strict Transport Security (HSTS) with a minimum max-age of 63072000 seconds and includeSubDomains
Certificate pinning available via Cloudflare Mutual TLS for enterprise customers requiring additional transport assurance
KMS-backed signing keys; private key material never leaves the KMS boundary; all signing operations performed within the KMS

5 controls

Data Handling

Hashes only by default; Hive stores cryptographic digests of agent operations, not the underlying payload, unless the customer contract expressly specifies otherwise
PII is never persisted by the platform unless the applicable customer DPA explicitly enables it; zero PII in logs by default
EU data residency available on enterprise tier; data routed and stored within EU-region Cloudflare Workers and compatible storage
90-day default retention for operational logs and receipt records; configurable downward on request; automatic deletion at retention boundary 90d
Customer-controlled deletion endpoint: authenticated DELETE request removes customer data and all downstream copies within 72 hours 72h
Cryptographic deletion proof: every honored deletion request produces a signed Ed25519 + ML-DSA-65 tombstone envelope confirming the data was deleted, the digest of the deleted record set, and the deletion timestamp. The tombstone is anchored on Base L2 so right-to-be-forgotten requests under GDPR Article 17 are not just claimed but cryptographically proven. tombstone

4 controls

Network Security

Cloudflare WAF deployed on all public endpoints; custom ruleset tuned for API abuse, credential stuffing, and prompt-injection payloads
Cloudflare DDoS protection active at the network and application layer; automatic rate-limiting engages at configurable thresholds
TLS-only origins; Cloudflare-to-origin traffic encrypted end-to-end; no plaintext HTTP between edge and application tier
No plaintext webhooks; all outbound webhook deliveries use HTTPS with SHA-256 HMAC signature in the X-Hive-Signature header; receivers are expected to verify before processing

4 controls

Application Security

Input validation on all API endpoints; schema-enforced via Zod; malformed payloads rejected before reaching business logic
Rate limiting applied per-DID (decentralized identity) and per-IP; burst limits and sustained-rate limits enforced independently at the Workers edge
Content Security Policy (CSP) headers set on all HTML responses; disallows inline scripts and restricts third-party script execution
Subresource Integrity (SRI) enforced on all third-party scripts loaded by Hive-managed pages; sha384 hash required

5 controls

Monitoring & Response

Uptime monitoring via external synthetic check; alerts to on-call within 2 minutes of availability degradation 2min alert
Error logging via Sentry with structured context; PII fields are scrubbed before ingestion by the Sentry Relay
Log retention of 90 days minimum; logs include request ID, DID, endpoint, HTTP status, and response time; no payload bodies 90d
Anomaly alerts for authentication spike, unusual receipt volume, and DID key-rotation frequency; threshold-based with manual review on trigger
Post-mortem published internally within 5 business days of any Severity-1 incident; customer-facing summary published within the same window 5 biz days

Sub-Processors

Where your data goes.

Hive engages the following sub-processors. Each processor is contractually bound to data protection standards consistent with Hive's customer DPA. Customer notification of material sub-processor changes is provided with 30 days advance notice.

Processor	Purpose	Region	Compliance
Render	Compute infrastructure, API hosting, background workers	US East (Oregon)	render.com/security →
Cloudflare	CDN, WAF, DDoS protection, Workers edge compute, DNS	Global (Anycast)	cloudflare.com/trust-hub →
Stripe	Payment processing, subscription billing, invoicing	US (Stripe Inc.)	stripe.com/privacy →
Mercury	Operating banking, treasury, ACH disbursements	US (FDIC-insured)	mercury.com/legal/privacy →
GitHub	Source code hosting, CI/CD, issue tracking	US (GitHub, Inc.)	github.com/privacy →
AWS S3 via Render	Object storage for receipts, evidence bundles, log archives	US East (us-east-1)	aws.amazon.com/compliance →

Vulnerability Disclosure

Responsible disclosure policy.

Hive Civilization welcomes security researchers. We commit to a fair, transparent disclosure process.

Contact

[email protected]

Encrypt sensitive reports using our PGP key, available on request at the address above. Provide sufficient detail to reproduce the issue. Do not access customer data beyond what is necessary to demonstrate the vulnerability.

Disclosure Timeline

Initial acknowledgement: Within 2 business days of receipt
Triage decision: Within 7 business days
Remediation target: 30 days for critical; 90 days for medium/low
Coordinated public disclosure: 90-day window from report receipt; extensions available by mutual agreement

Scope

In scope: thehiveryiq.com and all subdomains, Hive API endpoints, Cloudflare Workers serving hive-signed receipts, Hivemorph admin panel. Out of scope: third-party sub-processors, social engineering, denial-of-service testing, automated scanning without prior approval.

Hall of Fame

Researcher	Finding	Date
First responsible disclosure reporter will appear here.

We do not offer monetary bounties at this time. We commit to public acknowledgement, coordinated disclosure, and a letter of commendation for valid critical findings.

Penetration Testing

Testing posture.

Annual Third-Party Pen Test

External penetration test by an independent firm is scheduled for Q3 2026. This is not yet complete. Results will be available in summary form to enterprise customers under NDA following remediation.

Scheduled — Q3 2026

Internal Red-Team Exercises

Monthly internal red-team exercises covering authentication bypass, privilege escalation, and API abuse scenarios. Exercises are conducted by the founder against staging environments and documented in the internal security log.

Active — Monthly

NIST ACVP Self-Test

The Wave-Lattice cryptographic substrate runs the NIST Automated Cryptographic Validation Protocol self-test suite on every deployment. Results are published on the audit-readiness endpoint at /hive-pq.html.

Passing — Every Deploy

Incident Response

Runbook and SLAs.

Six-phase incident response process. Severity definitions are public. Customer notification SLAs are contractual obligations, not aspirational targets.

Phase 1

Detection

Automated alert or researcher report identifies anomaly

Phase 2

Triage

Severity classified; incident lead assigned; stakeholders notified

Phase 3

Contain

Access revoked or isolated; blast radius scoped

Phase 4

Eradicate

Root cause removed; indicators of compromise cleared

Phase 5

Recover

Service restored; monitoring confirmed clean before re-opening

Phase 6

Post-Mortem

Root cause, timeline, and corrective actions published within 5 business days

Severity	Definition	Customer Notification	Post-Mortem
Sev 1	Complete service outage, confirmed data breach, or cryptographic key compromise	1 hour	5 business days
Sev 2	Significant performance degradation, partial service disruption, or potential data exposure	4 hours	5 business days
Sev 3	Minor functionality impacted; no data risk; workaround available	Next business day	Optional

Incident status updates published at status.thehiveryiq.com during active incidents. Subscribe for email or webhook alerts.

Compliance Assistance

We meet your procurement process.

Enterprise procurement and security questionnaires do not have to be a bottleneck. Hive commits to fast turnaround on standard documentation requests.

SIG Questionnaire

Shared Assessments SIG

Full SIG Lite and SIG Core responses available. Turnaround within 5 business days of NDA execution.

CAIQ

CSA CAIQ

Cloud Security Alliance Consensus Assessment Initiative Questionnaire completed and available under NDA.

Custom

Custom Questionnaires

Enterprise-specific security questionnaires addressed within 5 business days. Contact us with your template.

DPA

Data Processing Addendum

Hive standard DPA template available immediately. Redlines reviewed within 5 business days. GDPR and CCPA clauses included.

MSA

Master Service Agreement

Hive standard MSA template available on request. Enterprise-negotiated terms available for contracts above threshold.

Briefing

Technical Security Briefing

Live 60-minute security architecture walkthrough available for enterprise prospects. Schedule via [email protected].

For Toby Pischl (Netskope) and Cloudflare procurement: the SOC 2 engagement letter is available on request under a mutual NDA. Contact [email protected] directly with your organization and questionnaire template.

Security Roadmap

Certifications timeline.

These are our genuine targets. We will not represent a certification as complete until the independent body issues the credential.

Now — Q4 2026

SOC 2 Type 1

Audit engagement signed. Controls inventory implemented. Report expected Q4 2026.

Underway

Q3 2027

SOC 2 Type 2

12-month observation period begins after Type 1 report. Type 2 report target Q3 2027.

Planned

2027

ISO 27001

ISMS documentation and gap analysis underway. Certification audit targeted 2027 in parallel with SOC 2 Type 2 observation period. ISO 27001 self-attested posture →