Security at HAYANALYSIS

At DCE Infosec LLC, security isn't just our product — it's our foundation. We understand that you're trusting us with access to your security infrastructure, and we take that responsibility seriously.

Deployment Options

HAYANALYSIS offers flexible deployment options to meet your security and compliance requirements:

Tenant Separation (SaaS)

For SaaS deployments, we implement strict multi-tenant isolation:

• Logical Isolation: Each customer's data is logically separated using unique tenant identifiers and access controls.
• Encryption Separation: Each tenant has dedicated encryption keys managed via AWS KMS / Azure Key Vault.
• Network Isolation: Network-level controls and security groups prevent cross-tenant access.
• Compute Isolation: Processing is isolated at the container/instance level per tenant.
• Database Isolation: Tenant data is separated at the schema or database level depending on configuration.
• Audit Logging: All access is logged with tenant context for audit and compliance.

BYODb: Your Data Stays With You

Our Bring Your Own Database (BYODb) architecture is designed with security-first principles:

• No Data Storage: We never store your security logs, event data, or sensitive information on our servers (when using BYODb).
• Real-Time Queries: We query your databases in real-time and process data in memory.
• Your Infrastructure: Your data remains in your controlled environment at all times.
• Zero Data Export: We don't copy, export, or retain your security data.
• Credential Security: Database credentials are encrypted at rest using HSM-backed keys and never logged.

Bring Your Own AI/LLM

Control your AI processing with your own models:

• Supported Providers: Azure OpenAI, AWS Bedrock, Google Vertex AI, OpenAI API, self-hosted models (Ollama, vLLM, etc.).
• Data Privacy: When using your own AI, prompts and responses flow directly between your HAYANALYSIS instance and your AI service — we have no visibility.
• No Training: Your data is never used to train AI models, regardless of which AI service you use.
• Self-Hosted AI: For maximum control, deploy your own LLM infrastructure and connect it to HAYANALYSIS.
• Credential Management: AI API keys are encrypted and stored securely, with optional integration with your secrets manager.

Compliance & Certifications

Infrastructure Security

Encryption

• In Transit: All communications are encrypted using TLS 1.3.
• At Rest: All data is encrypted using AES-256 with tenant-specific keys.
• Key Management: Encryption keys are managed using hardware security modules (HSM) via cloud KMS services.
• Database Credentials: Encrypted at rest and in transit, with support for secrets managers.

Network Security

• Zero-trust network architecture
• Network segmentation and micro-segmentation
• Intrusion detection and prevention systems
• DDoS protection and mitigation
• Web application firewall (WAF)
• Private endpoints available for database and AI service connections

Access Controls

• Multi-factor authentication (MFA) required for all access
• Role-based access control (RBAC) with granular permissions
• Principle of least privilege
• SSO integration (SAML, OIDC) for enterprise identity management
• Regular access reviews and audits
• Automated deprovisioning

Application Security

• Secure Development: We follow secure coding practices and OWASP guidelines.
• Code Reviews: All code changes undergo security review before deployment.
• Dependency Scanning: Automated scanning for vulnerable dependencies.
• Penetration Testing: Regular third-party penetration tests.
• Bug Bounty: We maintain a responsible disclosure program.

Self-Hosted Security

For self-hosted deployments, you have complete control:

• Your Infrastructure: Deploy on your cloud (AWS, Azure, GCP) or on-premise data centers.
• Your Security Controls: Implement your own network security, access controls, and monitoring.
• Your AI: Use your own AI/LLM infrastructure with no external calls.
• Your Databases: All data stays within your environment.
• No Phone Home: Telemetry is optional and can be completely disabled.
• Air-Gapped Support: Available for environments without internet connectivity.

Operational Security

• 24/7 Monitoring: Continuous security monitoring of our SaaS infrastructure.
• Incident Response: Documented incident response procedures with defined SLAs.
• Business Continuity: Disaster recovery and business continuity plans.
• Employee Security: Background checks, security training, and awareness programs.
• Separation of Duties: No single employee has access to all systems.

Vendor Security

We carefully vet all third-party vendors and require:

• SOC 2 or equivalent compliance
• Security questionnaire completion
• Contractual security requirements
• Regular security assessments
• Data processing agreements where applicable

Security Reporting

If you discover a security vulnerability, please report it responsibly:

• Email: security@hayanalysis.com
• PGP Key: Available upon request
• Response Time: We acknowledge reports within 24 hours
• Bug Bounty: We offer rewards for qualifying vulnerabilities

Security Documentation

Enterprise customers can request:

• SOC 2 Type II audit report
• Penetration test executive summary
• Security questionnaire responses (SIG, CAIQ, custom)
• Data processing agreements (DPA)
• Architecture and data flow diagrams
• Tenant isolation technical documentation

Questions?

For security-related inquiries, contact our security team:

DCE Infosec LLC - Security Team
Email: security@hayanalysis.com