Compliance & CISO FAQ

This page consolidates the most common security questions from CISOs, security teams, and procurement reviewers. All answers reflect HatiData's in-VPC deployment architecture where customer data never leaves the customer's network.

Data Sovereignty

Q: Where is my data processed? A: All data processing occurs within your VPC. Data never leaves your network. The HatiData query engine (proxy + DuckDB) runs on compute instances inside your VPC, reading from your S3 bucket and caching on encrypted NVMe storage within your VPC.

Q: Does HatiData have access to my data? A: No. The engine runs in your VPC with your IAM roles. HatiData staff cannot access your data. There are no shared credentials, no cross-account access, and no SSH/SSM access to customer instances.

Q: What data does HatiData collect? A: Only anonymized usage metrics (query count, latency distributions, credit consumption) for billing purposes. No query content, no query results, no schema information.

Q: Who are HatiData's sub-processors? A: Cloud infrastructure services only (AWS, GCP, or Azure depending on your deployment). No other third parties have access to customer data or metadata.

Q: Can I control which region my data stays in? A: Yes. You select the region during provisioning. All compute, caching, and audit storage remain within that region. No cross-region replication unless you explicitly configure it.

Q: How is data handled at contract termination? A: You retain all data in your storage bucket. HatiData compute resources are terminated, and NVMe caches are cryptographically erased using cryptsetup luksErase. No data is retained by HatiData.

Encryption

Q: What encryption is used? A: CMEK via AWS KMS / GCP Cloud KMS / Azure Key Vault (at rest), TLS 1.3 (in transit), LUKS AES-256-XTS (NVMe cache).

Q: Can I bring my own encryption keys? A: Yes. Customer-Managed Encryption Keys (CMEK) are required. You provide your KMS key ARN during provisioning.

Q: Is TLS 1.2 supported? A: No. TLS 1.3 only. No downgrade negotiation is permitted.

Q: How often are encryption keys rotated? A: AWS KMS automatic annual rotation is enabled by default. Customers can configure custom rotation schedules or trigger manual rotation at any time. API keys support automatic rotation with a 72-hour grace period.

Q: What encryption algorithm is used for NVMe cache? A: LUKS with AES-256-XTS. The encryption key is derived from the customer's KMS key at instance boot. The LUKS partition is cryptographically erased on instance termination.

Q: Is encryption enforced or optional? A: Enforced. TLS 1.3 in transit and CMEK at rest are mandatory. There is no option to disable encryption.

Access Control

Q: How are API keys managed? A: Keys are hashed with Argon2id (per-key salt), scoped to environments, with automatic rotation and expiration alerts. The plaintext key is shown only once at creation time.

Q: Does HatiData support SSO? A: Yes, via WorkOS integration supporting SAML 2.0, OIDC, Okta, Azure AD, and Google Workspace.

Q: Can I enforce MFA? A: Yes. Organization-wide MFA enforcement is configurable. Supported methods: TOTP (Google Authenticator, Authy) and WebAuthn (hardware security keys).

Q: How are service accounts scoped? A: Service accounts are limited to query execution only with environment-scoped API keys. They cannot perform administrative actions (user management, policy changes, billing).

Q: What granularity does column masking support? A: Column masking is configured per-policy with four functions: full redaction (replace with ***), partial redaction (e.g., last 4 digits), SHA-256 hash, and null replacement. Exemptions are role-based, with additional agent-specific masking rules.

Audit & Logging

Q: Are query logs immutable? A: Yes. Stored in S3 with Object Lock (7-year retention, Governance mode). Logs cannot be deleted or modified within the retention period.

Q: Can audit logs be tampered with? A: No. S3 Object Lock prevents deletion or modification. Additionally, IAM audit events use SHA-256 hash chaining for tamper detection -- each event references the hash of the previous event, and chain integrity can be verified via the API.

Q: How long are logs retained? A: 7 years. Hot storage for 90 days, S3 Glacier after 90 days, Deep Archive after 1 year.

Q: Is PII automatically redacted from audit logs? A: Yes. Automatic detection and redaction of email, SSN, credit card, and phone number patterns using compiled regular expressions. Redaction occurs before the audit entry is written to storage.

Q: Are administrative actions audited? A: Yes. A separate IAM audit trail captures all policy CRUD, key rotation, user management, and SSO configuration changes with before/after values.

Q: Can audit logs be exported? A: Yes. Logs are stored in your S3 bucket in JSONL format, partitioned by date. They are compatible with any SIEM that reads S3/JSONL (Splunk, Datadog, Elastic, Sumo Logic).

Network Security

Q: Does data traverse the internet? A: No. All communication uses AWS PrivateLink and VPC endpoints. No public IP addresses are assigned to any resource.

Q: What ports are required? A: Port 5439 (Postgres wire protocol proxy) and port 9090 (Prometheus metrics). Both are restricted to customer-approved CIDR ranges via security groups.

Q: Are public IPs used? A: No. All resources (EC2 instances, NLB, VPC endpoints) use private IP addresses only.

Q: Is DDoS protection provided? A: AWS Shield Standard is included. The internal NLB provides built-in connection-level protection. The proxy has configurable concurrency limits (default: 100 concurrent queries).

Incident Response

Q: What is your incident response SLA? A: P1 (critical): 15-minute response, 4-hour resolution. P2 (high): 30-minute response, 8-hour resolution. P3 (medium): 4-hour response, 48-hour resolution. P4 (low): next business day, next release.

Q: How are security incidents communicated? A: Via configured webhooks, email notification, and a dedicated status page. For P1 incidents, initial acknowledgment within 15 minutes.

Q: What is the breach notification timeline? A: Customer notification within 72 hours of becoming aware of a data breach. Post-Incident Review (PIR) shared within 72 hours for P1/P2 incidents, including timeline, root cause, corrective actions, and follow-ups.

Q: What is HatiData's patching cadence? A: Critical vulnerabilities: 24 hours. High: 7 days. Medium: 30 days. Low: next scheduled release. Updates are distributed as new AMIs via the release channel and applied through Auto Scaling Group rolling updates.

Compliance Frameworks

SOC 2 Type II

HatiData's architecture is designed for SOC 2 Type II compliance. All controls (encryption, access control, audit logging, monitoring, incident response) align with SOC 2 Trust Service Criteria across Security, Availability, Processing Integrity, Confidentiality, and Privacy.

HIPAA

A Business Associate Agreement (BAA) template is available. HatiData's architecture supports HIPAA requirements: PHI stays in the customer's VPC, column masking protects PHI fields, and immutable audit trails provide the accountability trail required by the Privacy and Security Rules.

All data processing occurs in the customer's chosen region (data residency). HatiData acts as a data processor per the Data Processing Agreement (DPA). Customers retain full control over data subject rights since HatiData has no access to underlying data. Only anonymized metrics are collected for billing.

PCI DSS

Column-level masking can redact cardholder data (PAN, CVV) in query results. Row-level security restricts access to payment records by role. Immutable audit logs provide the accountability trail required by PCI DSS Requirement 10.

Security Questionnaire

HatiData maintains a pre-filled security questionnaire based on the SIG Lite / CAIQ v4 format, covering:

Section	Topics
Data Residency & Sovereignty	Data location, HatiData access, sub-processors, regional boundaries
Encryption	At-rest (CMEK), in-transit (TLS 1.3), key rotation, NVMe encryption
Network Security	PrivateLink, no public IPs, port requirements, DDoS protection
Access Control	RBAC roles, SSO, MFA, API key management, service account scoping
Audit & Logging	Immutability, retention, PII redaction, admin audit trail
Incident Response	SLAs, breach notification, PIR process, vulnerability patching

To request the complete questionnaire or discuss specific compliance requirements, contact:

Email: security@hatidata.com

Operations

Q: How does HatiData handle capacity planning? A: Auto Scaling Groups automatically scale between configurable min/max instance counts based on CPU utilization. Instance types are selectable. NVMe cache uses LRU eviction at 80% capacity.

Q: What is the backup and recovery strategy? A: Customer data lives in S3 (11 9's durability). Audit logs use S3 Object Lock with 7-year retention. The proxy is stateless -- ASG auto-replaces failed instances within 5 minutes. NVMe cache is ephemeral and rebuilds from S3 on access.

Q: Does HatiData perform penetration testing? A: The architecture is designed for customer-initiated penetration testing. All components run in the customer's VPC, so customers can pen-test their own deployment without coordination.

Legal entity: Marviy Pte Ltd (Singapore, UEN: 202014065D)

Data Sovereignty​

Encryption​

Access Control​

Audit & Logging​

Network Security​

Incident Response​

Compliance Frameworks​

SOC 2 Type II​

HIPAA​

GDPR​

PCI DSS​

Security Questionnaire​

Operations​

Stay in the loop