Trust Center

No. No AI provider uses your data for training. Zero-retention agreements are confirmed with Google and Perplexity, and have been requested from Anthropic and Cohere.

No. Each client has fully isolated infrastructure — separate database, separate backend, separate frontend deployment. There is no shared data layer between clients.

Not yet certified. We maintain 10 formal security policies aligned with SOC 2 Trust Services Criteria. Third-party security assessment planned Q3 2026, SOC 2 Type I targeted Q1–Q2 2027, Type II targeted Q4 2027–Q1 2028.

Yes. We sign Data Processing Agreements that designate Hone Labs as a school official with legitimate educational interest. Education records are never re-disclosed or used beyond the contracted purpose.

All data is processed and stored in the United States (AWS infrastructure via Supabase). Contact us for specific data residency requirements.

AES-256 encryption at rest (AWS KMS managed keys) and TLS 1.2+ for all data in transit with HSTS enforced.

You get a 30-day export window, then soft deletion at Day 30, permanent deletion at Day 60, and backup expiry at Day 90. Written certification available on request.

Yes. Our standard Data Processing Agreement is published in full on our Trust Center. We customize terms per client as needed.

Yes. Hiscox Professional Liability, Cyber Liability, and General Liability coverage ($1M per occurrence). Certificate of insurance available on request.

Email security@honelabs.dev. We acknowledge within 2 business days, assess within 5, and remediate critical issues within 24 hours. Full safe harbor for good-faith researchers.

Anthropic (AI), Google Gemini (embeddings), Cohere (search relevance), Perplexity AI (web research), Firecrawl (web extraction), Supabase (database), Railway (backend), Vercel (frontend), Sentry (monitoring), GitHub (source code & CI/CD), Google OAuth (authentication). Full list with data handling details on our Sub-Processor page.

We are partially conformant with WCAG 2.1 Level AA. Known limitations are documented transparently with remediation targets. See our Accessibility Statement.

Every AI output is a draft — nothing takes effect without human review. We apply automated quality scoring, citation verification, confidence scoring, and configurable token budgets.