Security & Compliance
HYVE OVERLORD is built for defense, regulated, and enterprise environments. This page summarizes how the platform protects your data and where we stand on the frameworks your security team will ask about. For procurement or vendor due diligence, our full security package is available on request.
Compliance Posture
Our SOC 2 Type II readiness program is underway. We operate under SOC 2-aligned controls (security, availability, confidentiality) today; the independent examination report will be made available to qualified customers under NDA on completion.
HIPAA-ready architecture. HYVE OVERLORD runs inside your environment and we do not store your operational data or PHI — your patient data never leaves your control. A Business Associate Agreement (BAA) is available for qualified healthcare deployments.
Built-in control mapping and continuous posture monitoring against CMMC Level 2 and NIST SP 800-171, with reporting that supports your assessment evidence. This is posture monitoring and control alignment — not a certification of your environment.
US-only product. Customer data resides in the United States and, for the desktop platform, within your own environment. International interest is routed to an export-compliance review (EAR / ITAR) before any engagement.
How We Protect Your Data
The OVERLORD + Raptor desktop platform runs on your machines and activates offline (Ed25519, verified locally). Nothing phones home; we do not collect or store your operational data, telemetry, or PHI.
The Shield-to-Command channel is encrypted at the application layer with NIST ML-KEM-768 (FIPS 203) — in addition to TLS — protecting threat intelligence against the “harvest now, decrypt later” threat model.
Local secrets and key material are sealed with OS-native key stores (Windows DPAPI / platform secure storage), never written in plaintext.
Multi-tenant data is isolated at the database layer with row-level security; cross-tenant access is denied by default. Privileged operations run server-side under least privilege.
Role-based access control with an immutable audit trail across administrative and security actions. Control-plane writes require explicit authorization and fail closed.
Licenses are offline-verifiable and perpetual-capable — no license server, nothing to phone home, no dependency on us to keep your deployment running.
For vendor security reviews we provide a control overview, architecture summary, data-flow description, and a BAA on request. SOC 2 Type II report shared under NDA on completion.
This page describes our security architecture and the control frameworks we engineer to. Each framework’s status is stated explicitly above. Engineering to a framework’s controls is not the same as a third-party certification of your environment; formal attestations (the SOC 2 Type II report) and executed agreements (BAA) are provided directly to qualified customers under NDA as part of procurement. HYVE OVERLORD and Raptor are US-only, export-controlled products (EAR / ITAR).