What we have. Not what we hope to have.
Role-scoped access. Sensitive-topic review built into the pipeline, not bolted on. Source-grounded architecture and multi-source cross-checking that prevent the AI from writing what it can't support. Subprocessors listed here by category and named in full in the DPA. What we don't claim yet, we don't claim.
Security-critical layers run on managed services rather than custom infrastructure. Each provider is responsible for their own layer. Specific provider names and DPA terms are available before contract.
Authentication
Authentication and session management
Authentication, sessions, and organisation membership are delegated to a managed identity provider. HermesAI does not store or manage raw session credentials.
Billing
Billing and subscription lifecycle
Payment processing, subscription state, and checkout flows run through a managed billing provider. Card data never touches HermesAI servers.
Database
Primary database
Application state, tenant data, and editorial records live in a managed Postgres cluster. Backups, failover, and encryption at rest are handled by the provider.
Cache and rate limiting
Rate limiting and transient state
In-memory state for rate limiting, feed processing locks, and short-lived workflow flags. No persistent sensitive data stored here.
Compute and hosting
Compute and hosting
Application compute runs on a managed hosting platform. Network isolation, DDoS mitigation, and TLS termination are platform defaults.
CDN and edge
CDN and edge network
Static assets and edge routing proxied through a managed CDN. WAF rules and bot mitigation applied at the network layer.
Controls implemented at the application layer, visible in the current codebase.
Role-gated product areas
Admin routes and tenant newsroom routes are separated at the middleware level. Platform-side roles for operations are distinct from tenant-side editorial roles. Access is enforced server-side on each request.
Webhook signature verification
Billing and identity webhook events are verified against HMAC signatures from their respective providers before processing. Replayed or tampered payloads are rejected. Idempotency keys prevent duplicate processing of the same event.
API key hashing
Tenant integration keys are stored as hashed values with truncated masked prefixes for display. The full key is shown only once at creation time and cannot be retrieved from the platform after that.
Network checks for webhook targets
Outbound webhook endpoints submitted by tenants are validated against reserved and non-public address ranges before use. This blocks SSRF attacks targeting internal network addresses via the webhook delivery system.
Operational records
Billing and identity webhook payloads are archived for audit and incident investigation. These records support troubleshooting without relying solely on external provider logs.
Security pages often overstate. These are the things this page does not assert.
No certification unless published.
HermesAI does not hold SOC 2, ISO 27001, or equivalent certifications at this stage. If any are obtained they will be published explicitly. A security page is not a certification.
No public bug bounty.
There is no active public bug bounty programme. Security researchers should report findings to the security contact. Reports are reviewed; rewards are not promised.
No uptime SLA unless contracted.
Free, Plus, and Pro plans carry no uptime guarantee. Enterprise contracts may define SLAs - consult the specific agreement.
No prevention of AI editorial errors.
The product generates AI articles. These may contain factual errors, misattributions, or incomplete coverage. Editorial review before publication is a design assumption, not an optional step.
No substitute for publisher rights review.
Security controls do not address content licensing, attribution rights, or syndication terms. Those are separate legal and commercial matters.
Found a security issue?
Report via the security channel. Include the affected path, reproduction steps, and your estimated impact. Reports are reviewed - there is no public bounty programme.