Security & Trust Center

How HeyHi handles isolation, encryption, your keys and cloud, audit, and compliance — for engineering and security teams evaluating the platform.

Every claim below is gated against our internal Enterprise Readiness Review. Live means shipped and verified. In progress and Roadmap items are labeled as such — we do not state unshipped controls as live.

Multi-tenant data isolation

Live

Every record is keyed and queried per tenant, behind tenant-context middleware. Isolation is enforced at the data layer, not just the application layer.

Encryption

Live

Data is encrypted at rest with AWS KMS (encrypted persistent state) and in transit with TLS. Tenant secrets and BYO keys are stored via KMS-backed encryption.

Bring Your Own Key (BYOK)

Live

Use your own LLM provider key. BYOK spend is recorded at raw provider cost with zero markup — we make your tokens accountable, we do not mark them up.

Spend accountability & guardrails

Live

Every AI dollar is traced to a shipped feature via the Spend-to-Feature Ledger, with receipts, orphaned-spend flagging, and per-team budgets that warn or block before overspend.

Audit trail

Live

Security-relevant actions — run triggers, budget/billing blocks, configuration changes — are written to an immutable, append-only, tenant-scoped audit log, viewable and exportable to CSV inside the app.

Runtime sandboxing

In progress

Agent execution runs on AWS ECS Fargate with IAM-scoped roles and network controls. Fully per-execution ephemeral, egress-restricted sandboxing is an active hardening item and is not yet claimed as complete.

Per-tenant key encryption context

In progress

KMS encryption with per-tenant binding (encryption context) and removal of any non-KMS fallback is being hardened per our internal readiness review before we state it as fully live.

GDPR & EU AI Act alignment

In progress

For Delivery Hero EU brands: PII-redacted logging and explicit tenant opt-in before any source leaves the tenant boundary, with a documented data-flow for GDPR and the EU AI Act, are in progress. We do not currently claim certification.

Bring Your Own Cloud (BYO-cloud)

Roadmap

Deploying the platform into your own AWS account is on the roadmap for regulated and data-residency-sensitive customers.

Enterprise SSO & SCIM

Roadmap

SAML/OIDC single sign-on and SCIM user provisioning (via Amazon Cognito / IAM Identity Center) are planned. Today authentication is GitHub OAuth with tenant-scoped sessions.

Start onboarding