Skip to main content
FeaturesFree cardIndustriesPricingSecuritySign inStart free

Trust Center

Last reviewed: July 2026

Hubity is built with enterprise-grade security at its core. This page documents how we protect your data, who is responsible, and what your rights are.

Active
Encryption at Rest
Active
Encryption in Transit
Available
Multi-Factor Auth
Active
Audit Logging
Active
Privacy Rights
In Progress
SOC 2 (In Progress)
Our Commitment
Core

Security is not an afterthought at Hubity. It is embedded in every layer of our architecture - from encrypted field storage to authenticated file access to granular role-based permissions. We hold ourselves to the same standards we help HR teams enforce for their own data.

Data Encryption
Active
Encryption at rest: All data is encrypted at rest using the AES-256 standard
Field-level encryption: Sensitive fields (salary, personal data) receive an additional layer of encryption using a separate key, with a unique initialization vector per record and step-up authentication required for access
Encryption in transit: All connections use the latest transport encryption standards. Insecure connections are rejected
Key management: Encryption keys are derived using industry-standard key derivation and stored separately from encrypted data. Key rotation is supported without data re-encryption
Email privacy: Email addresses are encrypted at rest with additional protections to prevent exposure in the event of unauthorized access
File access: Uploaded files are served through an authenticated proxy. Raw storage URLs are never exposed to clients
Authentication
Active
Passwordless login: Magic link email codes with 15-minute expiration - no passwords to phish or breach
Passkeys: Hardware security key and biometric authentication (fingerprint, face) fully supported
Two-factor authentication: Authenticator app-based 2FA with encrypted secret storage and hashed recovery codes
OAuth SSO: Sign in with Google or Microsoft (Entra ID) for enterprise single sign-on
Session management: Encrypted, secure session tokens with cross-site protection and automatic expiration
Step-up authentication: Sensitive data (salary, personal data) requires recent re-authentication before access is granted
Infrastructure
Active
Hosting: Enterprise-grade hosting infrastructure with automatic failover, global edge network, and zero-downtime deployments
Database: Enterprise-grade database with encryption at rest, continuous backups, and point-in-time recovery
Network Protection: Enterprise-grade DDoS protection, bot management, and edge caching
Data isolation: Each company's data is logically isolated. Strict tenant isolation prevents any cross-organization data access
File storage: Documents are stored in encrypted cloud storage with server-side authenticated access only
Access Control
Active
Role-based access control: Granular, least-privilege roles govern every action. Duties are separated: a dedicated IT and security administrator role manages authentication, integrations, and audit without access to HR, finance, or compensation data, and a finance role is scoped to financial data without company-administration powers
Audit logging: All significant actions are recorded in a tamper-evident audit log secured by a cryptographic hash chain, capturing source IP, device, and action context. Records are retained for at least six years
Rate limiting: All authentication and sensitive operations are rate-limited to prevent abuse
Input validation: Server-side validation on all inputs, including file type verification for uploads and data format validation
Application Security
Active
Content Security Policy: Strict browser security policies prevent code injection and unauthorized resource loading
Sensitive data detection: Automatic detection of SSNs, credit card numbers, passwords, and API keys in knowledge base inputs. Live credentials are blocked, and other sensitive data is quarantined and excluded from AI retrieval
Dependency management: Dependencies are tracked and updated regularly. Security advisories are reviewed and acted on promptly
Error handling: Internal error details are never exposed to clients. Errors are logged securely for internal review
Data Handling
Active
Data residency: Data is primarily processed and stored in the United States. EU data residency is available on Enterprise plans
Data minimization: We only collect data required to provide the service. No behavioral tracking beyond product analytics
Processing: Queries sent to our processing providers are not retained beyond the request lifecycle and are never used to train models
Deletion: Customer data is deleted after account cancellation in line with our Data Processing Agreement, and backups age out on a rolling schedule thereafter
Compliance
In Progress
European Privacy RightsActive
Access, correction, deletion, and data export rights supported
California Privacy RightsActive
Consumer privacy rights honored including right to know, delete, and opt out
Sensitive Data ProtectionActive
Field-level encryption, authenticated access, long-term audit retention
SOC 2 Type IIIn Progress
Infrastructure providers certified. Self-assessment in progress
Accessibility

Hubity is committed to meeting recognized accessibility standards across all user-facing surfaces.

Keyboard navigation: All interactive elements are reachable via keyboard with visible focus indicators
Screen reader support: Labels, roles, and live regions for assistive technology compatibility
Semantic HTML: Proper heading hierarchy, landmark regions, and form labels throughout
Color contrast: Text and UI elements meet WCAG AA contrast ratios in both light and dark themes
Skip navigation: Skip-to-content link provided for keyboard users to bypass repetitive navigation
Responsive design: Fully usable on mobile, tablet, and desktop with touch and pointer input support

To report an accessibility barrier, contact [email protected].

Vulnerability Disclosure

We welcome responsible security research. If you discover a vulnerability, please report it to [email protected].

Response time: We acknowledge all reports within 48 hours
Safe harbor: We do not pursue legal action against good-faith researchers
Recognition: Valid vulnerability reporters are acknowledged with permission

In scope: hubity.io and its associated services

Out of scope: Third-party services, social engineering, denial-of-service

Our full security policy is published at /.well-known/security.txt

Connector Security Compliance
Active

Mapping against the OWASP MCP Top 10 framework for connector and agent security.

MCP01 Token Mismanagement & Secret ExposureMitigated
Tokens stored as one-way hashes. Credentials encrypted with unique initialization vectors per record. Plaintext shown once at generation, never retrievable. Secrets never logged or included in error responses.
MCP02 Privilege Escalation via Scope CreepMitigated
Scoped tokens with explicit read-only permissions. Per-client capability manifests restrict available tools. Write operations require multi-level approval workflows with dual-control for sensitive actions.
MCP03 Tool PoisoningMitigated
All connector tool results are scanned for injection patterns, command execution, and data exfiltration before storage or return. Connector capabilities require explicit administrator approval.
MCP04 Supply Chain & Dependency TamperingMitigated
Provenance tracking with cryptographic signatures on all ingested data. Content integrity verified via hash chains. Connector health monitored continuously with automatic quarantine on failure.
MCP05 Command Injection & ExecutionMitigated
All tool inputs validated server-side. Database queries are parameterized. No shell execution from connector data. Content scanning detects threats in encoded payloads before processing.
MCP06 Prompt Injection via Contextual PayloadsMitigated
Prompt injection detection on all connector-sourced content. Sensitive and classified content excluded from tool responses. Content length limits applied to tool responses.
MCP07 Insufficient Authentication & AuthorizationMitigated
OAuth 2.1 with PKCE. Proof-of-possession token binding. Enterprise SSO via identity provider federation. Token introspection endpoint for real-time validation. Multi-tenant isolation at every layer.
MCP08 Lack of Audit & TelemetryMitigated
Every tool call, token operation, and access decision is logged. Tamper-evident audit trail with cryptographic hash chain. Signed audit export bundles for external compliance review.
MCP09 Shadow ServersMitigated
Connector registration requires manager-level authorization. All connectors tracked in company inventory with health monitoring. Unused connectors auto-flagged. No default or shared credentials.
MCP10 Context Injection & Over-SharingMitigated
Strict tenant isolation prevents cross-company data access. Sensitive, confidential, and health-classified content excluded from all responses. Personal data scanning with automatic redaction.
Security Contact

For security inquiries, compliance questions, or to report a concern:

Hubity
[email protected]

Enterprise security review? Request our security package (our SOC 2 report when available, the Data Processing Agreement, and completed security questionnaires) under NDA at the address above.

Better work, together.

See every job, invoice, proposal, and document in one place, and ask it anything, with the answer cited from your own files.

Start free

Free forever on Starter. Paid plans include a free trial. No credit card needed to start.

Hubity keeps your company's knowledge in one place, so your whole team can find answers, stay aligned, and do their best work.

Product

FeaturesKnowledgeTodayAnswersWatchlistVoiceTeam

Explore

IndustriesIntegrationsFree cardPlans & PricingChangelog

Company

Why UsPressContactStatus

Legal

Terms of ServicePrivacy PolicySecurityDPAAccessibilityPrivacy Request
© 2026 Hubity. All rights reserved.
Privacy PolicyTerms of ServiceDo Not Sell or Share My Personal Information