Security and Compliance

An overview of Humanloop's security and compliance measures

Humanloop is deeply committed to AI governance, security, and compliance. View our Trust Report and Policy Pages to see all of our certifications, request documentation, and view high-level details on the controls we adhere to.

Humanloop never trains on user data.

Humanloop Security Offerings:

Data Privacy and Security
- Activate LLMs with your private data, safely and securely. You own your data and models.
Monitoring & Support
- End-to-end monitoring of your AI applications, support guarantees from trusted AI experts.
Data Encryption
Data Management & AI Governance

User Authentication and Access Control

Authentication & Access Control - Humanloop Web App

All users of the Humanloop web application require a valid email address and password to use the system:

Email addresses are verified on account creation.
Passwords are verified as sufficiently complex.
Passwords are stored using a one-way salted hash.
User access logs are maintained including date, time, user ID, relevant URL, operation performed, and source IP address for audit purposes.

Authentication & Access Control - Humanloop API

All users of the API are required to authenticate with a unique API token header:

Follows the OAuth 2.0 pattern.
API tokens are only visible once on creation and then obfuscated.
Users can manage the expiry of API keys.
API token access logs are maintained including date, time, user ID, relevant URL, operation performed, and source IP address for audit purposes.

Additional Resources

Role-based access control (RBAC) - We implement strict role-based access control (RBAC) for all our systems.
Multi-factor authentication (MFA) - MFA is enforced for all employee accounts.

Encryption Standards

Encryption

Humanloop follows best practices for data management and encryption. All data in transit is secured with TLS/SSL, and all data at rest is encrypted using the AES-256 algorithm. All encryption keys are managed using AWS Key Management Service (KMS) as part of the VPC definition.

All data in transit is encrypted using TLS 1.2 or higher.
Data at rest is encrypted using AES-256 encryption.

Infrastructure

All sensitive data is encrypted in transit. For Self-Hosted Cloud (VPC) environments, network traffic is also encrypted in transit and at rest to meet HIPAA requirements. Sensitive application data is only ever processed within the ECS cluster and stored in Aurora. To request a network infrastructure diagram or more information, please contact privacy@humanloop.com.

Learn More

For more information about how Humanloop processes user data, visit our Data Management & Hosting Options page.

Security Certifications

SOC2 Type II Compliance

Humanloop is fully SOC2 Type II compliant. Learn more via our Trust Center and our Security Policy page.

HIPAA Compliance

Humanloop actively works with paying customers to help them achieve HIPAA compliance. Official certification is pending.

To request references or more information, contact sales@humanloop.com.

HIPAA Compliance via Hosting Environment:

Humanloop offers dedicated platform instances on AWS with HIPAA provisions for enterprise customers that have particularly sensitive data. These provisions include:

The ability for enterprises to manage their own encryption keys.
A specific AWS Fargate deployment that follows HIPAA practices.

We are fully compliant with the General Data Protection Regulation (GDPR). This includes:

Data minimization practices
User rights management
Data processing agreements

How Humanloop helps customers maintain compliance:

Self-Hosted Cloud (VPC) environments
Data Processing Agreements (DPAs)
Data Minimization and Retention Policies
Role-Based Access Controls
Data Encryption
Robust Security Measures
Incident Response Plan SLAs
Regular Training & Audits

Learn more:

Cloud Hosting Options
Data Management Protocols
Security Policy
Privacy Policy
Trust Center

To request references or more information, contact sales@humanloop.com