Security Overview

Hatch

Last reviewed: 6 May 2026

We take the security of our customers' data seriously. This page summarizes the technical and organizational measures we use to protect the Service. For full contractual commitments, refer to your Master Services Agreement and Data Processing Agreement, or contact our team.

Architecture and infrastructure

  • The Service runs on Amazon Web Services (AWS) and a managed application platform. Our cloud provider holds ISO 27001, SOC 2, and other relevant certifications.
  • All customer documents are stored in AWS S3 buckets with private access controls. Access requires authenticated, time-limited URLs.
  • Our database uses PostgreSQL with pgvector for embeddings, hosted in a managed environment with automated backups.
  • Production environments are isolated from development and staging environments.

Encryption

  • In transit: All connections to the Service use TLS 1.2 or higher.
  • At rest: Customer documents and database backups are encrypted using AES-256 (or equivalent) provided by our cloud and storage providers.
  • Passwords: Stored as bcrypt hashes. We never store passwords in plain text.

Authentication and access

  • End users authenticate with email and password; sessions use signed JSON Web Tokens (JWTs).
  • Inside our company, access to production systems is limited to a small number of authorized personnel and uses individual accounts.
  • We follow least-privilege principles for internal access. Access is reviewed periodically and revoked promptly when an employee leaves or changes role.

API and AI provider security

  • Our AI providers (OpenAI, ElevenLabs) are accessed over authenticated HTTPS APIs.
  • We use enterprise-API access where available so that customer data is not used to train AI models.
  • Per-organization usage limits prevent abuse of expensive AI calls.

Data isolation

  • Each organizational customer's documents, generated content, and chunks are scoped by org_name in the database and by prefix in S3.
  • Access checks are performed on every API request. Workers can only see materials assigned to their role.

Logging and monitoring

  • Authentication, administrative actions, and document access are logged.
  • Logs are retained according to our Data Retention Policy and used for security investigations and operational troubleshooting.
  • We monitor for unusual patterns and respond to alerts.

Backups and resilience

  • Database backups run on the schedule provided by our managed database service. We test restoration periodically.
  • We aim for 99.5% monthly availability of the Service. Specific service-level commitments are set out in our SLA.

Vulnerability management

  • We track known vulnerabilities in our dependencies and apply security patches.
  • Internal code review is required for changes to authentication, authorization, and data-access code.
  • We welcome responsible disclosure of security issues — please email hatch.officiall@gmail.com with details. We will acknowledge within 5 business days and work with you to address verified issues.

Incident response

We maintain an internal Incident Response Plan. If we become aware of a security incident affecting customer data, we will:

  1. Investigate and contain the incident
  2. Notify affected customers without undue delay (typically within 48 hours of confirmation)
  3. Notify the relevant data-protection authorities within 72 hours, where required by law
  4. Cooperate with affected parties on remediation

Sub-processors

A current list of every third party that processes customer data on our behalf is published at https://www.hatchai.tech/sub-processors.

Compliance

We design the Service to support customer compliance with:

  • Georgia's Law on Personal Data Protection (in force since 1 March 2024)
  • The EU General Data Protection Regulation (GDPR)
  • EU AI Act transparency requirements (in force from 2 August 2026)
  • Other regional privacy laws as relevant to specific customer engagements

We do not yet hold formal certifications such as SOC 2 Type II or ISO 27001. We plan to pursue these as the company grows. Our infrastructure providers do hold these certifications.

Customer responsibilities

Security is a shared responsibility. Customers using the Service should:

  • Use strong, unique passwords.
  • Provision and de-provision worker accounts promptly when employees join or leave
  • Avoid uploading sensitive personal data, regulated data, or third-party confidential information unless covered by the contract (see our Acceptable Use Policy)
  • Notify us immediately of any suspected compromise of an account

Contact

Security questions or vulnerability reports: hatch.officiall@gmail.com General privacy: hatch.officiall@gmail.com