Security and Compliance
An overview of Humanloop’s security and compliance measures
Humanloop is deeply committed to AI governance, security, and compliance. View our Trust Report and Policy Pages to see all of our certifications, request documentation, and view high-level details on the controls we adhere to.
Humanloop never trains on user data.
Humanloop Security Offerings:
- Data Privacy and Security
- Activate LLMs with your private data, safely and securely. You own your data and models.
- Monitoring & Support
- End-to-end monitoring of your AI applications, support guarantees from trusted AI experts.
- Data Encryption
- Data Management & AI Governance
User Authentication and Access Control
Authentication & Access Control - Humanloop Web App
All users of the Humanloop web application require a valid email address and password to use the system:
- Email addresses are verified on account creation.
- Passwords are verified as sufficiently complex.
- Passwords are stored using a one-way salted hash.
- User access logs are maintained including date, time, user ID, relevant URL, operation performed, and source IP address for audit purposes.
Authentication & Access Control - Humanloop API
All users of the API are required to authenticate with a unique API token header:
- Follows the OAuth 2.0 pattern.
- API tokens are only visible once on creation and then obfuscated.
- Users can manage the expiry of API keys.
- API token access logs are maintained including date, time, user ID, relevant URL, operation performed, and source IP address for audit purposes.
Additional Resources
- Role-based access control (RBAC) - We implement strict role-based access control (RBAC) for all our systems.
- Multi-factor authentication (MFA) - MFA is enforced for all employee accounts.
Encryption Standards
Encryption
Humanloop follows best practices for data management and encryption. All data in transit is secured with TLS/SSL, and all data at rest is encrypted using the AES-256 algorithm. All encryption keys are managed using AWS Key Management Service (KMS) as part of the VPC definition.
- All data in transit is encrypted using TLS 1.2 or higher.
- Data at rest is encrypted using AES-256 encryption.
Infrastructure
All sensitive data is encrypted in transit. For Self-Hosted Cloud (VPC) environments, network traffic is also encrypted in transit and at rest to meet HIPAA requirements. Sensitive application data is only ever processed within the ECS cluster and stored in Aurora. To request a network infrastructure diagram or more information, please contact privacy@humanloop.com.
Learn More
For more information about how Humanloop processes user data, visit our Data Management & Hosting Options page.
Security Certifications
SOC2 Type II Compliance
Humanloop is fully SOC2 Type II compliant. Learn more via our Trust Center and our Security Policy page.
HIPAA Compliance
Humanloop actively works with paying customers to help them achieve HIPAA compliance. Official certification is pending.
To request references or more information, contact sales@humanloop.com.
HIPAA Compliance via Hosting Environment:
Humanloop offers dedicated platform instances on AWS with HIPAA provisions for enterprise customers that have particularly sensitive data. These provisions include:
- The ability for enterprises to manage their own encryption keys.
- A specific AWS Fargate deployment that follows HIPAA practices.
GDPR Compliance
We are fully compliant with the General Data Protection Regulation (GDPR). This includes:
- Data minimization practices
- User rights management
- Data processing agreements
How Humanloop helps customers maintain compliance:
- Self-Hosted Cloud (VPC) environments
- Data Processing Agreements (DPAs)
- Data Minimization and Retention Policies
- Role-Based Access Controls
- Data Encryption
- Robust Security Measures
- Incident Response Plan SLAs
- Regular Training & Audits
Learn more:
- Cloud Hosting Options
- Data Management Protocols
- Security Policy
- Privacy Policy
- Trust Center
To request references or more information, contact sales@humanloop.com