Security

Security posture

What we do today, what we explicitly do not claim, and how to report a vulnerability. Written for the security reviewer who reads this in 90 seconds.

Huitzo is a self-hosted AI runtime. The runtime and the customer's data both run inside the customer's network boundary. Huitzo Inc does not ingest or store customer data. This page is the running statement of what we do today, what we do not claim, and how to report a vulnerability.

What we do today

  • Source code is open for review under the Huitzo GitHub organization.
  • Customer deploys the runtime inside infrastructure they control.
  • All inter-component traffic inside a deployment is over TLS by default.
  • Secrets are sourced from the host environment; Huitzo does not bundle a secret store.

What we do not claim today

Stated plainly. If any item below changes, it moves to "what we do today" the same week as the certification or third-party audit lands.

  • Not SOC 2 Type I or Type II audited.
  • Not ISO 27001 audited.
  • No published uptime SLA. Self-hosted runtime; uptime is a property of the customer's deployment.
  • Not independently penetration-tested.
  • Not HIPAA-, PCI-DSS-, FedRAMP-, or GDPR-certified. The runtime can be operated inside a customer's compliant environment, but Huitzo does not certify the customer's environment.

Vulnerability disclosure

Email [email protected]. Standard 90-day disclosure window. Huitzo does not run a paid bug bounty program.

Security questions

Is Huitzo SOC 2 compliant?
No. Huitzo Inc has not completed a SOC 2 Type I or Type II audit. The runtime is self-hosted, so the deployment can be operated inside a customer's SOC 2-certified environment, but Huitzo does not certify the customer's environment.
Does Huitzo store my data?
No. The Huitzo runtime is deployed inside the customer's infrastructure. Huitzo Inc does not ingest or store customer data.
Is Huitzo HIPAA compliant?
Huitzo Inc is not HIPAA-certified. The runtime can be operated inside a HIPAA-compliant customer environment, but Huitzo does not certify the customer's environment.
What is your uptime SLA?
Huitzo does not publish an uptime SLA. The runtime is self-hosted, so uptime is a property of the customer's deployment, not a Huitzo service obligation.
Has Huitzo been penetration-tested?
No. Huitzo has not undergone an independent third-party penetration test. The runtime source is open for review under the Huitzo GitHub organization.
How do I report a security vulnerability?
Email [email protected]. Standard 90-day disclosure window. Huitzo does not run a paid bug bounty program.