Compliance & Security
Your trust is our priority. Here's how we protect your data and maintain compliance with global standards.
Privacy & Data Handling
How we process, store, and protect your data
✓ Data stored in secure EU and US data centers (AWS & Google Cloud)
✓ Full DPA available with GDPR-compliant terms
✓ Limited third-party processors, all vetted and compliant
✓ You control your data with deletion rights
Data Processing Agreement (DPA)
We provide a comprehensive Data Processing Agreement that outlines our responsibilities as a data processor and your rights as a data controller. Our DPA is fully compliant with GDPR Article 28 requirements and includes:
- Scope and nature of processing activities
- Data subject categories and types of personal data processed
- Security measures and breach notification procedures
- Sub-processor management and disclosure
- Data retention and deletion obligations
- Rights to audit and inspection
To request our DPA: Contact our compliance team at [email protected] or your account manager. The DPA can be executed electronically and typically takes 2-3 business days to process.
See also: Privacy Policy for complete details on data handling practices.
Data Storage Locations
Your data is stored in highly secure, certified data centers with redundancy and backup systems:
Primary Regions:
- European Union: Paris, France (Scaleway) - for EU customers
- United States: Ashburn, USA (OCI) - for US customers
- India: Mumbai, India (OCI) - for APAC customers
Data Residency:
Customer data is processed and stored exclusively in the region selected during onboarding. Cross-border transfers comply with GDPR requirements using Standard Contractual Clauses (SCCs).
Backup & Disaster Recovery:
Encrypted backups are maintained in the same geographic region with geo-redundancy within that region. We maintain a 99.9% uptime SLA with automatic failover capabilities.
Third-Party Processors
We work with a limited number of carefully vetted third-party service providers. All processors are required to maintain equivalent security standards and have signed data processing agreements.
| Service Provider | Purpose | Data Location | Certification |
|---|---|---|---|
| Scaleway | Cloud infrastructure & hosting | EU (France) | ISO 27001, HDS |
| Oracle Cloud (OCI) | Cloud infrastructure & database | US, India | ISO 27001 |
| Hostinger | Web hosting & CDN | India | ISO 27001 |
| Amazon SES | Email delivery service | EU, US, India | ISO 27001 |
| Stripe | Payment processing | US, EU | PCI DSS, ISO 27001 |
* We maintain an updated sub-processor list and notify customers 30 days before adding new processors. You have the right to object to any new sub-processor.
Security Controls & Infrastructure
Comprehensive security measures across all layers of our platform
✓ Mandatory MFA for all admin accounts with SSO support
✓ End-to-end encryption: TLS 1.3 in transit, AES-256 at rest
✓ 24/7 security monitoring with SIEM and intrusion detection
✓ Zero-trust architecture with network segmentation
✓ Regular penetration testing and vulnerability assessments
Access Control & Identity Management
We implement defense-in-depth security principles with multiple layers of access controls to protect your data:
🔐 Multi-Factor Authentication (MFA)
- Mandatory for all administrator accounts
- TOTP, SMS, and FIDO2/WebAuthn support
- 8-hour session timeout with re-auth
- SSO integration (Okta, Azure AD, Google)
👥 Role-Based Access Control (RBAC)
- Granular permissions and role assignments
- Principle of least privilege enforcement
- Separation of duties for critical operations
- Audit trails for all access changes
🌐 Network Access Controls
- IP allowlisting for admin access
- VPC isolation and private subnets
- Zero-trust network architecture
- Microsegmentation between services
🔑 API Security
- Scoped API keys with expiration
- Rate limiting and throttling
- OAuth 2.0 for third-party integrations
- Anomaly detection for API usage
Encryption & Data Protection
Yes, MFA is mandatory for all administrator accounts without exception. Our security policy enforces the following:
- Enforcement: All admin portal access requires MFA - no bypass options
- Supported Methods: TOTP authenticator apps (Google Authenticator, Authy), SMS backup, hardware security keys (FIDO2/WebAuthn)
- Session Management: Sessions expire after 8 hours of inactivity, requiring re-authentication
- Account Recovery: Secure recovery process with identity verification via email + backup codes
- API Access: API keys are rotatable, scoped with least-privilege access, and monitored for anomalous usage
We also support SSO integration with popular identity providers (Okta, Azure AD, Google Workspace) for enterprise customers, allowing you to enforce your own MFA policies.
Data Encryption
Yes, all data is encrypted both in transit and at rest using industry-leading standards:
🔒 Encryption in Transit
- TLS 1.3 for all external communications
- HTTPS only - no unencrypted HTTP traffic
- Perfect Forward Secrecy (PFS) enabled
- Strong cipher suites (AES-256-GCM)
- HSTS enforced with preloading
- Certificate pinning for mobile apps
🔐 Encryption at Rest
- AES-256 encryption for all stored data
- AWS KMS for key management
- Encrypted database volumes
- Encrypted file storage (S3 buckets)
- Encrypted backups with separate keys
- Regular key rotation (90-day cycle)
Additional Security Layers:
- Field-level encryption for highly sensitive data (credentials, API keys)
- Client-side encryption options available for enterprise customers
- Zero-knowledge architecture for password storage (never stored in plain text)
- Encryption key segregation by customer (multi-tenant isolation)
Security Monitoring & Incident Response
Our Security Operations Center (SOC) provides continuous monitoring and rapid incident response:
24/7 Security Monitoring
- SIEM (Security Information and Event Management) for centralized log analysis
- Real-time threat detection and anomaly identification
- Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
- Automated alerting for suspicious activities
Vulnerability Management
- Quarterly penetration testing by certified security firms
- Continuous automated vulnerability scanning
- Bug bounty program for responsible disclosure
- Patch management with 30-day SLA for critical vulnerabilities
Infrastructure Security
- Web Application Firewall (WAF) protecting against OWASP Top 10
- DDoS protection with automatic mitigation
- Container security scanning and runtime protection
- Secrets management with HashiCorp Vault
Compliance & Auditing
- Comprehensive audit logging of all system activities
- Immutable audit trails with 2-year retention
- Regular internal and external security audits
- Annual ISO 27001 surveillance audits
Incidents & Data Deletion
Breach notification and data lifecycle management
✓ Security incident notification within 72 hours (often faster)
✓ Transparent communication with detailed remediation steps
✓ Default 90-day retention for operational data, customizable
✓ Complete data deletion within 30 days of request
Security Incident Notification
We notify customers within 72 hours of becoming aware of a security incident that affects customer data, in compliance with GDPR Article 33 requirements. In practice, most notifications occur much faster.
Our Incident Response Timeline:
Detection, initial assessment, and containment
Impact analysis, affected customer identification
Initial customer notification (email + dashboard alert)
Detailed incident report, remediation plan, regulatory filing if required
Status updates every 24-48 hours until resolution
What We Include in Notifications:
- Nature of the security incident and how it was detected
- Categories and volume of data potentially affected
- Likely consequences and potential impact to your organization
- Measures taken to contain and remediate the incident
- Recommended actions for customers to take
- Point of contact for questions and ongoing updates
Communication Channels:
Security incidents are communicated via email to registered security contacts, in-app notifications on the admin dashboard, and for critical incidents, direct phone calls to key stakeholders.
Note: We maintain a public security page at status.hunto.ai for transparency on any incidents affecting service availability or security.
Data Retention & Deletion
Default Retention Periods:
| Data Type | Retention Period | Customizable |
|---|---|---|
| Active monitoring data | 90 days | Yes (30-365 days) |
| Security incidents & alerts | 1 year | Yes (90 days - 7 years) |
| Audit logs | 2 years | Limited (1-7 years) |
| Account information | Until account deletion | N/A |
| Billing records | 7 years (legal requirement) | No |
| Backups | 30 days | No |
Data Deletion Process:
Yes, we can permanently delete your tenant data upon request with the following process:
How to Request Deletion:
- Submit a deletion request via your admin dashboard (Settings → Account → Delete Account) OR email [email protected]
- Verify your identity through our secure confirmation process (MFA required)
- Receive confirmation email with deletion timeline and data export option
- 30-day grace period (optional) to recover account before permanent deletion
- Final confirmation email once deletion is complete with certificate of destruction
Deletion Timeline:
- Production databases: Immediate (within 24 hours)
- Backups: Within 30 days (as backups expire on rotation)
- Archive storage: Within 90 days for compliance records
- Third-party processors: Deletion requests sent within 7 days
What Gets Deleted:
- All monitoring data, scan results, and security findings
- Account credentials and user profiles
- Configuration and integration settings
- Email communications and support tickets
What We Retain:
- Billing records (7 years for tax/accounting requirements)
- Aggregated, anonymized analytics (no personal data)
- Legal hold data (only if subject to active litigation or investigation)
Data Export: Before deletion, you can export all your data in machine-readable formats (JSON, CSV) via the admin dashboard or API.
ISO 27001 Compliance
Information security management system certification
✓ ISO 27001:2022 certified and compliant
✓ All 93 Annex A controls fully implemented
✓ Annual surveillance audits to maintain certification
✓ Certificate and SOA available to customers on request
ISO/IEC 27001 is the international standard for information security management systems (ISMS). We are fully ISO 27001:2022 certified with comprehensive security controls implemented across all our operations.
Certification Details:
- Status: Certified and compliant with ISO 27001:2022
- Certification Date: October 2025
- Certifying Body: BSI (British Standards Institution)
- Scope: Design, development, and delivery of AI-powered cybersecurity services
Implemented Controls (Annex A):
We have implemented all 93 controls from ISO 27001:2022 Annex A across four categories:
Organizational Controls (37)
Policies, roles, security awareness, incident management
People Controls (8)
Background checks, NDAs, training, disciplinary process
Physical Controls (14)
Access control, monitoring, equipment security
Technological Controls (34)
Access management, cryptography, logging, backups
Key ISMS Components:
- Risk assessment methodology based on ISO 27005
- Information security policies and procedures
- Asset inventory and classification system
- Business continuity and disaster recovery plans
- Supplier security assessment program
- Internal audit program and management reviews
Ongoing Compliance:
We maintain our ISO 27001 certification through annual surveillance audits and a full recertification audit every three years. Our certificate and Statement of Applicability (SOA) are available to customers upon request at [email protected].
GDPR Compliance
European data protection regulation compliance
✓ Full GDPR compliance since May 2018
✓ EU data residency options with no cross-border transfers
✓ DPO appointed and accessible for privacy inquiries
✓ All data subject rights supported with self-service tools
The General Data Protection Regulation (GDPR) is the EU's comprehensive data protection law. We are fully compliant with all GDPR requirements and treat GDPR principles as our baseline for data protection globally, not just for EU customers.
Legal Basis for Processing:
We process personal data under the following lawful bases per GDPR Article 6:
- Contract Performance (Art. 6.1.b): Processing necessary to deliver our cybersecurity services
- Legitimate Interests (Art. 6.1.f): Security monitoring, fraud prevention, service improvement
- Consent (Art. 6.1.a): Marketing communications, optional features (consent can be withdrawn)
- Legal Obligation (Art. 6.1.c): Compliance with tax, accounting, and cybersecurity regulations
Data Subject Rights (GDPR Chapter III):
We provide full support for all GDPR data subject rights with both self-service and assisted options:
Right to Access (Art. 15)
Request a copy of your personal data
Response time: Within 30 days
Right to Rectification (Art. 16)
Correct inaccurate personal data
Self-service in account settings
Right to Erasure (Art. 17)
Request deletion of your data ("right to be forgotten")
Processed within 30 days
Right to Restriction (Art. 18)
Limit processing while disputes are resolved
Contact DPO for assistance
Right to Data Portability (Art. 20)
Export data in machine-readable format
Self-service export in JSON/CSV
Right to Object (Art. 21)
Object to processing for direct marketing
Opt-out anytime via preferences
How to exercise your rights: Email [email protected] or use the Privacy Rights section in your account dashboard. We respond to all requests within 30 days (or 60 days for complex requests with notification).
Data Protection Officer (DPO):
We have appointed a Data Protection Officer as required by GDPR Article 37:
Name: Rahul Sharma
Email: [email protected]
Role: Privacy inquiries, regulatory liaison, internal compliance oversight
International Data Transfers:
For EU customers, we offer:
- EU Data Residency: All data stored and processed exclusively in EU (Frankfurt region)
- No Cross-Border Transfers: Option to keep all data within EEA with no US transfers
- Standard Contractual Clauses (SCCs): For customers who choose US or APAC regions, we use EU-approved SCCs (2021 version)
- Adequacy Decisions: We monitor and comply with EU Commission adequacy decisions
Privacy by Design & Default (Art. 25):
We implement technical and organizational measures to embed data protection into our services:
- Data minimization - we only collect what's necessary
- Pseudonymization and anonymization where possible
- Privacy settings default to most restrictive
- Privacy Impact Assessments (PIAs) for new features
- Privacy training for all employees
Data Breach Procedures (Art. 33-34):
In case of a personal data breach, we notify the relevant supervisory authority within 72 hours and affected individuals without undue delay if the breach poses a high risk. See the Incidents & Data Deletion section for our detailed notification process.
Supervisory Authority:
Our lead supervisory authority for GDPR matters is the German Federal Commissioner for Data Protection and Freedom of Information (BfDI). You have the right to lodge a complaint with your local data protection authority.
For complete details on how we handle personal data, please review our Privacy Policy.
Questions or Need Documentation?
Our compliance and security team is here to help. We can provide additional documentation, answer specific questions, or schedule a security review call.
General Inquiries
[email protected]Privacy & DPA Requests
[email protected]Compliance Documentation
[email protected]Related Policies: Privacy Policy • Terms of Service