OPENHIVE TRUST CENTER · LAST UPDATED 04/21/2026

Enterprise-grade trust,
built into every agent.

A single source of truth for OpenHive's security posture. Every control, audit, policy, and incident — in one place, always current, available to your procurement team in under five minutes.

Trust centerv3.2 · 14 docs public · 22 under NDA
Uptime (90d)99.994% · status.hive.dev
Last auditSOC 2 Type II · Feb 2026 · clean
Incident statusno active incidents

Start your security review

View and download security information. Sign an NDA in-line, drop straight into procurement, skip the email chain.

Get access Bulk download
Overview

Welcome to OpenHive's Trust Center. We build agent-native infrastructure for operators who cannot afford a bad day — so we treat the platform's security posture like we treat our runtime: observable, versioned, and reproducible.

Every certification on this page is independently audited. Every document is version-pinned. Every incident is written up within 72 hours, whether or not you'd ever notice. We run the control plane for your agents — they run your ops, your finance, and your customer-facing workflows — and that asks for a higher bar than most SaaS.

This Trust Center is a reflection of our security commitments. If you need evidence that isn't here, email security@hive.dev — we reply within one business day.

Compliance
SOC 2SOC 2
ISO 27001ISO 27001
ISO 27701ISO 27701
ISO 42001ISO 42001
HIPAAHIPAA
GDPRGDPR
CCPACCPA
CSA STARCSA STAR
PCI DSSPCI DSS
FedRAMP*FedRAMP*
TX-RAMPTX-RAMP
EU AI ActEU AI Act
§02 Documents

Evidence, not marketing.

Document Library · 14 public · 22 under NDA
Featured documents
REPORT · 62ppSOC 2 Type II Report
REPORT · 4ppISO 27001 Certificate
REPORT · 48ppStandalone Pen Test Report
REPORT · 22ppRed Team Exercise Summary
POLICY · 3ppHive Certificate of Insurance
DOCUMENT · 12ppPCI DSS Attestation v4.0
DATA PRIVACY · 30ppSupply Chain RVQ
DOCUMENT · 18ppIncident Response Playbook
View all 36 documents
§03 Control coverage

Every control, visible.

Export as VSA-Full
Risk Profile§03·01

Risk Profile

  • Data Access LevelInternal
  • HostingMajor Cloud Providers
  • Geographic scopeUS · EU · APAC
  • Risk reviewsQuarterly
View more
Product Security§03·02

Product Security

  • Audit Logging
  • Data Security
  • Service Level Agreement
  • Role-based access control
View more
Reports§03·03

Reports

  • Audit Pentest Remediation Schedule
  • Audit Pentest Report
  • BCDR / Crisis Management
  • Quarterly executive review
View more
Self-Assessments§03·04

Self-Assessments

  • CAIQ (Cloud Security Alliance)
  • VSA-Full
  • SIG Lite
View more
Data Security§03·05

Data Security

  • Data Retention
  • Encryption at rest (AES-256)
  • Encryption in transit (TLS 1.3)
  • Per-colony key isolation
View more
Legal§03·06

Legal

  • Subprocessors
  • Customer Audit Rights
  • Data Protection Agreement
  • Terms of Service
View more
Data Privacy§03·07

Data Privacy

  • Cookies
  • Data Breach Notifications
  • Data Privacy Officer
  • Training-data opt-out by default
View more
Infrastructure§03·08

Infrastructure

  • AWS us-east · eu-west · ap-south
  • Hive Cloud Network Diagram
  • Edge runtime: Cloudflare Workers
  • Zero-trust internal network
View more
Disaster Recovery§03·09

Disaster Recovery

  • Real DR Test Report
  • Standard BCDR Test Report
  • NIST CSF Report
  • RPO 1h · RTO 4h
View more
Policies§03·10

Policies

  • Acceptable Use Policy
  • Secure Development Addendum
  • Worker (agent) safety policy
  • Vendor risk management
View more
Incident Response§03·11

Incident Response

  • External / Third-Party Scan
  • Recent Security Reviews
  • 24/7 security on-call
  • Bug bounty via HackerOne
View more
AI & Agent Governance§03·12

AI & Agent Governance

  • Model routing policy
  • Agent spend caps (hard stop)
  • Replay & audit for every run
View more
§04 Knowledge Base

Fast answers, no email chain.

Search the Knowledge Base (FAQ)
Main telephone numbers
Security hotline: +1 (415) 555-HIVE · Incident response: security-ir@hive.dev · Legal: legal@hive.dev. For customer support incidents, file a ticket from inside the app — our on-call picks up within 15 minutes.
Does OpenHive have an AI governance policy?
Yes. We publish a versioned AI Governance Policy covering model selection, training-data lineage, red-teaming, and customer opt-out. Every hive-hosted model is tagged with a provenance hash, and customers can restrict agent runs to specific model families (e.g. EU-only, no-reasoning).
What is OpenHive's third-party risk management program?
We maintain a subprocessor registry that is refreshed on every quarterly review. New vendors go through a security questionnaire, data-flow mapping, and a documented risk assessment before they touch production. Customers receive 30 days notice on material subprocessor changes.
Does OpenHive have a third-party vulnerability disclosure program?
Yes — we run a public bug bounty on HackerOne with bounties up to $25,000 for critical issues. Safe-harbor language is included. For sensitive disclosures, email security@hive.dev with our PGP key (fingerprint in the footer).
Where are workloads hosted?
Cloud Hive runs on AWS across us-east-1, eu-west-1, and ap-south-1 with strict data-residency pinning. Desktop workers run wherever you install the app. Some edge routing flows through Cloudflare Workers, which never see payload.
View all 24 answers →
§05 Trust Center Updates

Every incident, within 72 hours.

Trust Center Updates · RSS available

SOC 2 Type II Report — Feb 2026 (clean)

General
February 18, 2026

Our annual SOC 2 Type II observation window closed on January 31, 2026. We received a clean report — zero exceptions across the Trust Services Criteria: Security, Availability, Confidentiality, and Processing Integrity.

The full report is available under NDA in the Documents section above. Customers on Business plans can have it sent directly to their procurement contacts.

Cloud Hive VM — CVE-2026-0142 (libssh2) — patched in 4h

VulnerabilityResolved
January 29, 2026

A high-severity vulnerability was disclosed in libssh2, used by a small subset of our Cloud Hive VM tooling images. We received the advisory at 09:14 UTC and pushed patched images across all regions by 13:28 UTC on the same day.

Impact

No exploit attempts observed. The vulnerable path required a specific MITM posture on an internal build path not exposed to customer traffic. No customer data accessed.

What we did
  • Rebuilt and rolled out base images across us-east-1, eu-west-1, ap-south-1
  • Rotated any credentials that had been used on the affected images, out of an abundance of caution
  • Added a dependency-watch rule to our CI that pre-emptively surfaces libssh2 advisories
What you should do

Nothing. This patched automatically. If you're running self-hosted workers on Linux and you use libssh2 for side tools, bump to 1.11.3+.

Spear-phishing attempt impersonating OpenHive support

IncidentResolved
January 12, 2026

Our security team detected a coordinated phishing campaign sending emails that appeared to be from support@hive-sec.dev (note the hyphen — our real domain is hive.dev). The emails asked recipients to 'reconfirm their agent keys' on a lookalike login page.

Key takeaways
  • OpenHive did not experience any system compromise. No customer data was accessed.
  • We do not ask you to reconfirm your keys by email — ever.
  • The lookalike domain was taken down within 11 hours of discovery.
Action required

If you received one of these emails, please forward it to phishing@hive.dev and delete it. We've published IOCs in our detections repo.

If you need help using the Trust Center, please contact: Contact support
PGP 9E4C · 1F82 · A3D7 · 4B90
© 2026 Aden Inc. Hive is an Aden productstatus · security · privacy · terms