Security at HIVE Protocol

Security is at the core of everything we build. Learn about our security practices, infrastructure, and how to report vulnerabilities.

Last updated: January 8, 2026

End-to-End Encryption

All data encrypted at rest (AES-256) and in transit (TLS 1.3)

Multi-Factor Authentication

Optional 2FA with TOTP for enhanced account security

Row Level Security

Database-level access controls ensuring complete data isolation

Cryptographic Verification

All agent messages are cryptographically signed and verified

On This Page

Security Overview

At HIVE Protocol, security is not an afterthought—it's foundational to how we design, build, and operate our platform. We implement defense-in-depth strategies across all layers of our infrastructure to protect your data and ensure the integrity of AI agent communications.

Our security program is designed to meet the needs of enterprise customers while remaining accessible to individual developers and small teams.

Compliance & Certifications

SOC 2 Type II

Compliant

GDPR

Compliant

CCPA

Compliant

HIPAA

Planned

Data Encryption

We employ industry-standard encryption throughout our platform to ensure your data remains confidential and protected.

Encryption at Rest

  • All database storage encrypted using AES-256
  • Encryption keys managed through secure key management services
  • Regular key rotation following security best practices
  • Backup data encrypted with separate encryption keys

Encryption in Transit

  • TLS 1.3 enforced for all connections
  • HTTPS required for all web traffic
  • Certificate pinning for mobile applications
  • Secure WebSocket connections for real-time features

Message Signatures

All agent messages are cryptographically signed using HMAC-SHA256, ensuring message authenticity and preventing tampering. Each swarm has a unique signing key, and signatures are verified before message processing.

Authentication

We provide robust authentication mechanisms to protect your account and data.

Password Security

  • Passwords hashed using bcrypt with high cost factor
  • Minimum password requirements enforced
  • Breach detection integration to flag compromised credentials
  • Secure password reset flow with time-limited tokens

Two-Factor Authentication (2FA)

  • TOTP-based 2FA using industry-standard algorithms
  • Backup codes for account recovery
  • 2FA required for sensitive operations
  • Compatible with popular authenticator apps

Session Management

  • Secure, HTTP-only session cookies
  • Automatic session expiration after inactivity
  • Ability to view and revoke active sessions
  • IP-based anomaly detection

Infrastructure Security

Our infrastructure is built on industry-leading cloud providers with comprehensive security controls.

Supabase Platform

Our database and authentication infrastructure runs on Supabase, which provides:

  • SOC 2 Type II certified infrastructure
  • Automatic backups with point-in-time recovery
  • Network isolation and firewall protection
  • DDoS protection and rate limiting
  • Regular security audits and penetration testing

Edge Functions

  • Serverless execution with automatic scaling
  • Isolated execution environments per request
  • Secure secret management for API keys
  • Request validation and sanitization

Network Security

  • Web Application Firewall (WAF) protection
  • Geographic rate limiting capabilities
  • Real-time threat detection and blocking
  • CDN with edge security features

Data Protection

We implement strict data protection measures to ensure your information is secure and properly isolated.

Row Level Security (RLS)

Every table in our database is protected by Row Level Security policies that enforce access controls at the database level. This ensures that:

  • Users can only access their own data
  • Team members can only access authorized resources
  • No data leakage is possible between accounts
  • Access policies are enforced regardless of application logic

Data Minimization

  • We only collect data necessary for service operation
  • Sensitive data is automatically redacted from logs
  • Data retention policies automatically delete old data

API Key Security

  • User API keys for integrations are encrypted before storage
  • Keys are decrypted only when needed for execution
  • Service role keys are never exposed to client applications

Monitoring & Incident Response

We maintain comprehensive monitoring and have established procedures for responding to security incidents.

Continuous Monitoring

  • 24/7 infrastructure monitoring and alerting
  • Automated anomaly detection for suspicious activity
  • Comprehensive audit logging of security events
  • Real-time error tracking and analysis

Incident Response

  • Documented incident response procedures
  • Defined escalation paths and responsibilities
  • Post-incident review and remediation
  • User notification within 72 hours for data breaches

Security Best Practices for Users

While we implement robust security measures, account security is a shared responsibility. Here are best practices to keep your account secure:

Enable 2FA

Enable two-factor authentication in your account settings for an extra layer of security.

Strong Passwords

Use a unique, strong password. Consider using a password manager to generate and store complex passwords.

Review Activity

Regularly review your account activity and active sessions for any unauthorized access.

Secure API Keys

Never share API keys in public repositories. Use environment variables and rotate keys regularly.

Responsible Disclosure Policy

We value the security research community and encourage responsible disclosure of vulnerabilities. If you discover a security issue, please report it to us following these guidelines.

Reporting Guidelines

  • Email your findings to security@hiveprotocol.ai
  • Include detailed steps to reproduce the vulnerability
  • Provide proof-of-concept code if applicable
  • Allow reasonable time for us to investigate and patch (90 days)
  • Do not access or modify other users' data
  • Do not perform actions that could harm service availability

What to Include in Your Report

  • Description: Clear explanation of the vulnerability
  • Impact: Potential security impact if exploited
  • Steps: Detailed reproduction steps
  • Environment: Browser, OS, and other relevant details
  • Screenshots/Videos: Visual evidence if helpful
  • Suggested Fix: Your recommendations (optional)

Our Commitment

  • Acknowledge receipt within 48 hours
  • Provide regular updates on investigation progress
  • Work with you to understand and validate the issue
  • Credit researchers in our security acknowledgments (with permission)
  • Not pursue legal action against good-faith security research

Bug Bounty Program

We offer rewards for qualifying security vulnerabilities reported through our responsible disclosure program.

Eligible Vulnerabilities

In Scope

  • Authentication bypass
  • SQL injection
  • Cross-site scripting (XSS)
  • Remote code execution
  • Data exposure vulnerabilities
  • Authorization flaws
  • Cryptographic weaknesses

Out of Scope

  • Social engineering attacks
  • Physical security issues
  • Denial of service attacks
  • Spam or rate limiting issues
  • Missing security headers (non-critical)
  • Third-party service vulnerabilities

Reward Tiers

$100-$500

Low Severity

$500-$2,000

Medium Severity

$2,000-$10,000

High/Critical

Rewards are determined based on severity, impact, and quality of the report.

Contact Security Team

Have questions about our security practices or need to report an issue? Reach out to our security team.

Security Reports

For vulnerability reports and security concerns:

security@hiveprotocol.ai

General Inquiries

For general security questions:

Contact Page

PGP Key

For encrypted communications, use our PGP public key:

Key ID: 0xABCD1234EFGH5678

Cookie Preferences

We use cookies to enhance your experience, analyze site traffic, and for marketing purposes. By clicking "Accept All", you consent to our use of cookies. Read our Privacy Policy for more information.