Resources · Security
Security.
Hachimi runs agents that touch your real accounts. We take that seriously. The summary below covers the practices we apply by default — for a deeper conversation (DPA, SOC 2 evidence, custom deployment), email security@hachimi.io.
Credentials encrypted at rest
OAuth tokens and any secrets you paste are encrypted per-agent with keys managed in our KMS. Application code reads them only at tool-execution time; they never enter LLM prompts.
Per-agent isolation
Every agent gets its own VPS. Files, sessions, and cookies stay on that box and are never shared across agents — yours or anyone else's.
Disconnect = wipe
Click "Disconnect" on a connector and the matching token is deleted from our database within seconds. Re-authorizing requires a fresh OAuth flow.
Compute on AWS, data on Supabase
Agent VPSes run in AWS us-east-1 (and EU on request). Application data + auth lives in Supabase Postgres with row-level security. No multi-tenant data crosses agent boundaries.
Audit trail per run
Every tool call, model call, and file write is logged with timestamps. You can replay any agent run and see exactly which tool ran, with what input, and what came back.
SOC 2 Type I in progress
We're in active observation with our auditor. Drift, our compliance platform, tracks the controls. Full report expected H2 2026; happy to share interim attestations under NDA.
Reporting a vulnerability
Found something? Email security@hachimi.io with reproduction steps and expected impact. We acknowledge within 24 hours and aim to ship a fix within 7 days for high-severity issues. Public disclosure 30 days after the patch ships, coordinated.
Subprocessors
Hachimi uses Anthropic (LLM provider), AWS (compute), Supabase (database + auth), Stripe (billing), and Vercel (web hosting). The full subprocessor list with locations is in our DPA — see /dpa.