Security is the product, not a checkbox.
HiveKey exists to shrink the blast radius of AI agents. The same rigor we ask of your agents, we apply to ourselves: least privilege, encryption everywhere, and an enforcement model with no way around it.
Every action passes through the gate.
HiveKey sits in the path of every action an agent takes. The policy check runs before the action — not after, not from a sampled log. If a role didn't grant it, it never happens, and the attempt is still recorded.
- Deny by default — agents have zero standing capability.
- The check is in-path; there is no out-of-band bypass.
- Allowed or denied, every attempt lands in one immutable log.
- Revocation is instant across every action and secret.
Policy gate
in-pathAction denied. Secret never left the vault. Attempt written to the audit trail with the responsible human attached.
How we protect your data.
Four pillars we hold our own platform to — the same standard we enforce on your agents.
Encryption everywhere
TLS 1.2+ for everything in transit. AES-256 at rest for action logs, policy, and metadata. Keys managed in a dedicated KMS with regular rotation.
Tenant isolation
Logical isolation per tenant by default; dedicated isolation on Scale. Every query is scoped to your tenant — no cross-tenant reads, ever.
Credential vaulting
Upstream API keys, OAuth tokens, and secrets are encrypted, never returned in plaintext to agents, and injected only at the moment of an allowed action.
Least privilege by default
Agents start with zero capability. Every action is denied unless a role explicitly grants it — and the grant is the narrowest scope that works.
We hold as little as we can.
The audit trail is the point — but we keep it lean. By default we record what happened and who's accountable, not the contents of every payload.
Data minimization
We log the action, the verdict, and the responsible identity — not the full contents of your payloads unless you opt in for inspection.
Configurable retention
Set how long action logs live; Scale can pin custom windows and data residency by region.
Encrypted backups
Point-in-time backups are encrypted at rest and access-controlled with the same isolation as live data.
Your keys, your control
Upstream credentials stay vaulted; revoke an agent and its access to every secret is cut instantly.
Built on hardened ground.
Private networking, locked-down egress, and a secure development lifecycle — so the control plane is as defensible as the controls it enforces.
Hardened cloud
Built on hardened cloud infrastructure with private networking, locked-down egress, and no public data stores.
In-path gateway
Enforcement is on the action path — there is no out-of-band route an agent can take to skip a policy check.
Continuous monitoring
Infra and application telemetry with alerting; suspicious agent behavior surfaces in the same audit trail you export.
Secure SDLC
Code review, dependency scanning, and least-privilege CI. Secrets never live in source.
Where we are on certifications.
HiveKey is pre-launch. The statuses below are honest about what's in progress versus what we're designing toward — nothing here claims a certification we don't hold.
SOC 2 Type II
In progressISO 27001
Designed forGDPR
AlignedHIPAA
Ready (roadmap)Full status and document requests live in the Trust Center.
Found something? Tell us first.
We welcome reports from security researchers. Disclose in good faith and we'll acknowledge quickly, keep you updated, and credit you once a fix ships. Please don't access other tenants' data or run disruptive tests.
Want the security details for your review?
We'll share our security overview, answer your questionnaire, and walk your team through the enforcement model under NDA.