Trust Center

Built for agents to run production growth.

Hellyeah is the runtime for your AI growth team. That means spend caps, approval gates, an immutable audit log, encryption everywhere, and a clear data contract, by default.

Request the security pack hi@hellyeahai.com

Six pillars

The boring, important guarantees.

Production-grade by default

Every run respects spend caps, approval gates, role-based permissions, and policy rules, out of the box, with no extra config.

Encryption everywhere

TLS 1.3 in transit. AES-256 at rest. Per-tenant encryption keys with rotation. Secrets managed via AWS KMS / GCP KMS.

Your data, your warehouse

Memory writes to your Postgres and parquet snapshots in your S3. We provide adapters; we don't hold the data.

Network isolation

VPC isolation per region. Private link support on enterprise plans. SSO via SAML/OIDC. SCIM for user provisioning.

Immutable audit log

Every action, agent or human, recorded with prompt, output, model, cost, and approver. Exportable, 7-year retention.

Vulnerability program

Continuous static analysis, dependency monitoring, third-party pen tests annually, responsible disclosure with bounty.

Compliance

Certified, audited, and documented.

Framework

Status

ISO 27001

Certified

SOC 2 Type II

In progress

GDPR

Compliant

CCPA

Compliant

EU-US DPF

Self-certified

HIPAA

BAA available

Security FAQ

Common questions, direct answers.

Where does my data live?

Memory writes to your own Postgres and S3 via adapters. Operational metadata (runs, queues, logs) lives in our control plane, hosted in the region you choose (US, EU, AU).

Who can see my prompts and outputs?

Only your org. Every artifact is encrypted with a tenant-specific key. Hellyeah engineering can access encrypted data only with a break-glass procedure that requires customer approval and is logged.

How do approvals work?

Spend caps + policy rules route any flagged action to a configured approver (Slack, email, console). No action over the threshold ships without an approval event recorded in the audit log.

Can I delete my data?

Yes. Self-serve workspace deletion wipes operational metadata immediately and overwrites any encrypted artifacts within 24 hours. Customer-owned warehouses are untouched.