Security
How we protect your data, your keys, and your code. Last reviewed April 2026.
Encryption
Critical layerAll traffic between the Hypex IDE, the Hypex Worker API, and your providers uses TLS 1.3. Data at rest in Cloudflare KV/R2 is encrypted with AES-256. Provider API keys you enter never touch our servers — they’re stored locally in the OS secret store (DPAPI on Windows, Keychain on macOS, libsecret on Linux).
Authentication
Critical layerPasswords are hashed with PBKDF2-SHA256 (100,000 iterations, per-user salt). Sessions are opaque tokens prefixed with "session:" stored in HttpOnly, Secure, SameSite=Lax cookies. Sessions auto-expire after 30 days of inactivity and rotate on every privileged action.
Data minimization
Defense layerWe collect the minimum needed: email, hashed password, plan, billing references. We do NOT collect prompts, code, file paths, project content, or AI responses. Telemetry (latency, error counts, model selected) is opt-in and ships only aggregate counters.
Compliance
Posture layerGDPR-ready: full export + deletion via /account. Stripe is our payment processor (PCI DSS Level 1 — we never see card data). Cloudflare Workers + KV runs on infrastructure that is SOC 2 / ISO 27001 certified. We are not yet SOC 2 audited ourselves.
Bug bounty
We don't currently offer cash payouts, but we maintain a hall of fame and credit responsible disclosure in the changelog. High-severity findings may earn lifetime Pro+ comp. Test only against your own account; do not access other users' data.
In scope
- hypex.pages.dev and *.hypex.pages.dev
- The Hypex Worker API
- The Hypex IDE extension surface
Out of scope
- Self-XSS, social engineering, physical attacks
- Rate limiting on non-sensitive endpoints
- Missing security headers without a demonstrable exploit
- Findings inside upstream Code OSS / Microsoft repos
Report a vulnerability
Please report privately first. We aim to respond within 48 hours.
mre011512@gmail.com