Trust & Security

How we protect your data

Hexis is a governance platform — we take our own data governance seriously. This page describes where your data lives, how it is protected, and what happens when AI processes it.

Data residency

All Hexis platform data is stored in the European Union. We use Supabase as our infrastructure provider, deployed in the Frankfurt (eu-central-1) region.

Provider Supabase (PostgreSQL) Region Frankfurt, Germany (eu-central-1) Encryption at rest AES-256 Encryption in transit TLS 1.3 Certifications SOC 2 Type II

AI data handling

Hexis uses the Anthropic Claude API to provide AI-powered compliance guidance. Here is exactly what happens with your data when AI features are used.

What we send to the API

System metadata (name, purpose, risk level), governance assessment scores, and obligation status. We do not send operational data, documents, or personally identifiable information beyond what you enter in the platform.

What Anthropic does with it

Per the Anthropic API Terms of Service, data sent via the API is not used for model training. Anthropic may retain API inputs for up to 30 days for safety monitoring, after which they are deleted.

AI Model Claude (Anthropic) API Key location Server-side only — never exposed to browsers Training opt-out Automatic — API usage is excluded from training Disclaimer All AI outputs include a disclaimer that they do not constitute legal advice

GDPR compliance

Hexis processes minimal personal data. The platform handles governance metadata about AI systems — not the operational data those systems process.

Data minimisation We collect only what is needed: email, name, organisation name, and system metadata Right of access Export your data anytime from Settings Right to erasure Delete your account and all associated data (CASCADE deletion) Data portability Export compliance data as PDF or structured format DPA Data Processing Agreement available on request ([email protected])

Access control

Every database query is scoped to your organisation. Row Level Security (RLS) is enforced at the database level — not just in application code.

Authentication

Email + password or Google OAuth. Sessions use short-lived JWTs refreshed automatically. Email verification is required for all accounts.

Organisation isolation

RLS policies on every table ensure users can only read and write data belonging to their own organisation. Cross-tenant data access is architecturally impossible.

Built by a practitioner

Hexis is built by an ISO/IEC 42001 Lead Implementer and IAPP member with hands-on experience in AI governance implementation. The platform reflects real-world compliance needs, not theoretical checklists.

Credentials ISO/IEC 42001 Lead Implementer, IAPP AIGP candidate Methodology ORIENT — a structured 6-step governance process Legal references All article numbers verified against Regulation (EU) 2024/1689 official text

Security contact

If you discover a security vulnerability or have questions about our data handling practices, contact us directly.

Email [email protected] Response time Security issues: 24 hours. General enquiries: 48 hours.