Security Policy

1. Overview

HammerAI Inc. is committed to protecting the security and integrity of customer data across our products: HammerLedger and HammerR&D. This policy describes the security controls, practices, and procedures we maintain to safeguard your information.

2. Infrastructure Security

• All production services are hosted on Digital Ocean (HammerLedger) and Atlassian Forge (HammerR&D), both SOC 2 compliant hosting providers.
• All data in transit is encrypted using TLS 1.2+ (HTTPS enforced on all endpoints).
• SSL certificates are provisioned via Let's Encrypt with automated renewal.
• Production servers are firewalled with only necessary ports exposed (HTTPS, SSH with key-based authentication only).
• Database access (Neo4j) is restricted to internal container networks and requires authentication credentials.

3. Application Security

• Authentication: All user authentication is managed by Clerk, a SOC 2 Type II certified identity provider. We support Google OAuth and email/password sign-in with multi-factor authentication.
• Authorization: Every API request is verified server-side against Clerk's backend API. User roles (client, consultant, client reviewer) are enforced at the API layer — the backend never trusts client-supplied role claims.
• Input Validation: All user inputs are validated and sanitized before processing. API endpoints enforce strict type checking and reject malformed requests.
• Cryptographic Integrity: HammerLedger uses a multi-layer SHA-256 cryptographic seal to ensure evidence chain integrity. Any modification to sealed data is detectable.
• Data Isolation: Each ledger's data is isolated per user. Consultant and client data are separated, with explicit access grants required for cross-user visibility.

4. Third-Party Security

We integrate with the following third-party services and apply the principle of least privilege to all integrations:

• Anthropic (Claude API): Used for AI-powered R&D analysis. Data sent to Anthropic is processed in real time and is not retained by Anthropic beyond the API call per their data retention policy.
• Stripe: Handles all payment processing. We do not store credit card numbers or payment credentials on our servers.
• Atlassian Forge: HammerR&D runs entirely within the Forge sandbox. App secrets (API keys) are stored using Forge's encrypted variable storage. The app requests only the minimum JIRA scopes required (read:jira-work).

5. Secrets Management

• All API keys, database credentials, and signing secrets are stored in environment variables on the production server — never committed to source code.
• HammerR&D secrets are stored using Atlassian Forge's encrypted variable storage.
• Access to production credentials is restricted to authorized personnel only.
• Secrets are rotated periodically and immediately upon any suspected compromise.

6. Dependency Management

• We run npm audit (SCA scanning) on all projects before deployment to identify known vulnerabilities in third-party dependencies.
• Critical and high-severity vulnerabilities are resolved before any release.
• Dependencies are kept to a minimum to reduce the attack surface.

7. Vulnerability Management

• Critical vulnerabilities (CVSS 9.0+): Patched within 24 hours of discovery.
• High vulnerabilities (CVSS 7.0–8.9): Patched within 7 days.
• Medium vulnerabilities (CVSS 4.0–6.9): Patched within 30 days.
• Low vulnerabilities (CVSS below 4.0): Addressed in the next scheduled release.

8. Incident Response

In the event of a security incident, we follow this process:

1. Identification: Detect and classify the incident based on severity and scope.
2. Containment: Immediately isolate affected systems to prevent further exposure.
3. Investigation: Determine the root cause, affected data, and blast radius.
4. Notification: Affected customers are notified within 72 hours of confirmed data breaches, in accordance with GDPR and applicable regulations.
5. Remediation: Fix the underlying vulnerability and deploy the patch.
6. Post-Incident Review: Document lessons learned and update controls to prevent recurrence.

9. Access Control

• Production server access is limited to authorized personnel via SSH with key-based authentication.
• Code changes require review before deployment to production.
• Third-party service accounts use the minimum permissions required for operation.

10. Reporting a Security Issue

If you discover a security vulnerability in any HammerAI product, please report it responsibly by contacting us at:

support@hammerai.ai

We take all reports seriously and will acknowledge receipt within 48 hours. We ask that you give us reasonable time to investigate and address the issue before making any public disclosure.