How does Hubity encrypt my data?

All stored data is encrypted using AES-256-GCM with unique initialization vectors per record. Sensitive fields like salary and personal data use a separate encryption key with step-up authentication. All connections use TLS 1.3 with HSTS preloading.

How does authentication work in Hubity?

Hubity uses passwordless login with magic link email codes (15-minute expiration). We also support passkeys (WebAuthn/FIDO2), TOTP-based two-factor authentication, and OAuth SSO with Google or Microsoft.

Where is Hubity hosted and how is data isolated?

Hubity is hosted on SOC 2 Type II certified infrastructure. All data is processed and stored in the United States. Company data is logically isolated with row-level access controls to prevent cross-company data leakage.

Does Hubity use my data to train AI models?

No. Queries sent to our AI providers are not retained beyond the request lifecycle and are never used to train models. Hubity only collects data required to provide the service with no behavioral tracking beyond product analytics.

What happens to my data if I cancel my account?

Customer data is fully deleted within 30 days of account cancellation.

How do I report a security vulnerability?

Email security@hubity.io with details. Hubity acknowledges all reports within 48 hours, does not pursue legal action against good-faith researchers, and recognizes valid vulnerability reporters with permission.

Trust Center

Last reviewed: March 2026

Hubity is built with enterprise-grade security at its core. This page documents how we protect your data, who is responsible, and what your rights are.

Active

Encryption at Rest

Active

Encryption in Transit

Available

Multi-Factor Auth

Active

Audit Logging

Active

Privacy Rights

In Progress

SOC 2 (In Progress)

Our Commitment

Core

Security is not an afterthought at Hubity. It is embedded in every layer of our architecture - from encrypted field storage to authenticated file access to granular role-based permissions. We hold ourselves to the same standards we help HR teams enforce for their own data.

Data Encryption

Active

Encryption at rest: All stored data, including messages, documents, feedback, and personal information, is encrypted at rest using enterprise-grade encryption with unique keys per record

Field-level encryption: Sensitive fields (salary, SSN, personal data) use a separate encryption key from general data, with step-up authentication required for access

Encryption in transit: All connections use the latest transport encryption standards. Insecure connections are rejected

Key management: Encryption keys are derived using industry-standard key derivation and stored separately from encrypted data. Key rotation is supported without data re-encryption

Email privacy: Email addresses are encrypted at rest with additional protections to prevent exposure in the event of unauthorized access

File access: Uploaded files are served through an authenticated proxy. Raw storage URLs are never exposed to clients

Authentication

Active

Passwordless login: Magic link email codes with 15-minute expiration - no passwords to phish or breach

Passkeys: Hardware security key and biometric authentication (fingerprint, face) fully supported

Two-factor authentication: Authenticator app-based 2FA with encrypted secret storage and hashed recovery codes

OAuth SSO: Sign in with Google or Microsoft (Entra ID) for enterprise single sign-on

Session management: Encrypted, secure session tokens with cross-site protection and automatic expiration

Step-up authentication: Sensitive data (salary, PII) requires recent re-authentication within a 15-minute window before access is granted

Infrastructure

Active

Hosting: Enterprise-certified hosting provider with automatic failover, global edge network, and zero-downtime deployments

Database: Enterprise-grade database with encryption at rest, continuous backups, and point-in-time recovery up to 7 days

Network Protection: Enterprise-grade DDoS protection, bot management, and edge caching

Data isolation: Company data is logically isolated with row-level access controls. Cross-company data leakage is prevented at the query layer

File storage: Documents are stored in encrypted cloud storage with server-side authenticated access only

Access Control

Active

Role-based access: Six-tier permission hierarchy: employee, HR, manager, admin, owner, and viewer. Every action enforces role requirements

Audit logging: All significant actions are logged with encrypted details including IP, user agent, and action context. Logs are retained for 6 years

Rate limiting: All authentication and sensitive operations are rate-limited to prevent abuse

Input validation: Server-side validation on all inputs, including file type verification for uploads and data format validation

Application Security

Active

Content Security Policy: Strict browser security policies prevent code injection and unauthorized resource loading

Sensitive data detection: Automatic detection and rejection of SSNs, credit card numbers, passwords, and API keys in knowledge base inputs

Dependency management: Dependencies are tracked and updated regularly. Security advisories are reviewed and acted on promptly

Error handling: Internal error details are never exposed to clients. Errors are logged securely for internal review

Data Handling

Active

Data residency: All data is processed and stored in the United States

Data minimization: We only collect data required to provide the service. No behavioral tracking beyond product analytics

Processing: Queries sent to our processing providers are not retained beyond the request lifecycle and are never used to train models

Deletion: Customer data is deleted within 30 days of account cancellation. Encrypted backups are purged within 90 days

Compliance

In Progress

European Privacy RightsActive

Access, correction, deletion, and data export rights supported

California Privacy RightsActive

Consumer privacy rights honored including right to know, delete, and opt out

Sensitive Data ProtectionActive

Field-level encryption, authenticated access, long-term audit retention

SOC 2 Type IIIn Progress

Infrastructure providers certified. Self-assessment in progress

Accessibility

Hubity is committed to meeting recognized accessibility standards across all user-facing surfaces.

Keyboard navigation: All interactive elements are reachable via keyboard with visible focus indicators

Screen reader support: Labels, roles, and live regions for assistive technology compatibility

Semantic HTML: Proper heading hierarchy, landmark regions, and form labels throughout

Color contrast: Text and UI elements meet WCAG AA contrast ratios in both light and dark themes

Skip navigation: Skip-to-content link provided for keyboard users to bypass repetitive navigation

Responsive design: Fully usable on mobile, tablet, and desktop with touch and pointer input support

To report an accessibility barrier, contact [email protected].

Vulnerability Disclosure

We welcome responsible security research. If you discover a vulnerability, please report it to [email protected].

Response time: We acknowledge all reports within 48 hours

Safe harbor: We do not pursue legal action against good-faith researchers

Recognition: Valid vulnerability reporters are acknowledged with permission

In scope: hubity.io and its associated services

Out of scope: Third-party services, social engineering, denial-of-service

Our full security policy is published at /.well-known/security.txt

Connector Security Compliance

Active

Mapping against the OWASP MCP Top 10 framework for connector and agent security.

MCP01Token Mismanagement & Secret ExposureMitigated

Tokens stored as one-way hashes. Credentials encrypted with unique initialization vectors per record. Plaintext shown once at generation, never retrievable. Secrets never logged or included in error responses.

MCP02Privilege Escalation via Scope CreepMitigated

Scoped tokens with explicit read-only permissions. Per-client capability manifests restrict available tools. Write operations require multi-level approval workflows with dual-control for sensitive actions.

MCP03Tool PoisoningMitigated

All connector tool results are scanned for injection patterns, command execution, and data exfiltration before storage or return. Connector capabilities require explicit administrator approval.

MCP04Supply Chain & Dependency TamperingMitigated

Provenance tracking with cryptographic signatures on all ingested data. Content integrity verified via hash chains. Connector health monitored continuously with automatic quarantine on failure.

MCP05Command Injection & ExecutionMitigated

All tool inputs validated server-side. Database queries are parameterized. No shell execution from connector data. Content scanning detects threats in encoded payloads before processing.

MCP06Prompt Injection via Contextual PayloadsMitigated

Prompt injection detection on all connector-sourced content. Sensitive and classified content excluded from tool responses. Content truncation limits at 50,000 characters.

MCP07Insufficient Authentication & AuthorizationMitigated

OAuth 2.1 with PKCE. Proof-of-possession token binding. Enterprise SSO via identity provider federation. Token introspection endpoint for real-time validation. Multi-tenant isolation at every layer.

MCP08Lack of Audit & TelemetryMitigated

Every tool call, token operation, and access decision is logged. Tamper-evident audit trail with cryptographic hash chain. Signed audit export bundles for external compliance review.

MCP09Shadow ServersMitigated

Connector registration requires manager-level authorization. All connectors tracked in company inventory with health monitoring. Unused connectors auto-flagged. No default or shared credentials.

MCP10Context Injection & Over-SharingMitigated

Strict tenant isolation prevents cross-company data access. Sensitive, confidential, and health-classified content excluded from all responses. Personal data scanning with automatic redaction.

Security Contact

For security inquiries, compliance questions, or to report a concern:

Hubity
[email protected]