Trust Center · Updated 2026-Q2

Last updated 2026-07-07

Engineered for audit. Honest about certification.

We do not publish certifications we have not earned. This page is what an enterprise security team, a privacy officer, a regulator or a procurement lead needs to evaluate Hikari Blue. Nothing is behind a sales gate. Everything material is here.

Owner: Compliance practice Next review: 2026-Q4 direct email

Request the trust pack under NDA

Includes: security posture, data residency model, AI audit-trail approach, sub-processors list, DPA template, compliance roadmap.

Standards posture

Where we stand, in plain language.

Status is current as of publication. We do not pre-announce, we do not market certifications we have not earned, and we do not retrofit evidence the week before an audit.

Standard Status Evidence
SOC 2 Type II Scheduled Q3 2026 Program scheduled to start in Q3 2026. Auditor selection in progress. Control mapping documented across availability, confidentiality and processing integrity.
ISO 27001 Target 2027 Information security management system documented. Statement of Applicability draft maintained. Certification audit targeted for 2027.
GDPR & CCPA Available Privacy notice published. DPA available on request. Sub-processors list maintained (see below). Data subject request procedure documented.
EU AI Act Architecture property Hikari Blue Ops engineered to produce audit-trail evidence required by the regulation. Not a certification: an architecture property. Article 12 (record-keeping) and Article 14 (human oversight) addressed by design. Article 4 (AI literacy) is operationalized through dated, role-resolved training paths, in force since 2 February 2025. See the literacy delivery path
DORA / NIS2 Engagement-scoped Engagements in financial services and critical infrastructure include scoped DORA / NIS2 readiness work: ICT risk register, third-party concentration, incident reporting timelines, resilience testing alignment.
HIPAA / MDR Engagement-scoped Healthcare engagements include scoped HIPAA (US) and MDR (EU) readiness: PHI handling, BAA template, software-as-medical-device classification framework, post-market surveillance design.

Request the full compliance roadmap under NDA

Sub-processors

Who else can touch your data, and why.

Sub-processors are explicitly scoped to the workload. Engagements requiring strict residency or zero-cleartext processing run on a reduced subset documented in the engagement-specific DPA addendum.

Sub-processor Purpose Region
Anthropic LLM inference for Hikari Blue Ops, when Claude model selected. US · EU
OpenAI LLM inference, when GPT model selected. Enterprise tier, zero retention. US
Mistral AI LLM inference, when Mistral model selected. Sovereign EU option. EU
Google Cloud Optional compute and Gemini model inference, engagement-scoped. US · EU · Asia
Netlify Edge hosting for hikariblue.com and engagement static surfaces. Global edge
Cloudflare DDoS mitigation, WAF, edge cache. No origin traffic decryption. Global edge

Sub-processors list maintained quarterly. Material changes notified to engagement clients with thirty-day notice. Request the engagement-specific list

Data residency

Residency by design, not by sales motion.

Data residency is selectable per workload at engagement time, not retrofitted after audit. The architecture supports the strictest applicable framework, not the average.

Region Default posture Available stricter postures
European Union EU-residence compute, EU-residence storage, EU-residence model inference (Mistral or Anthropic EU). France HDS Germany BSI C5
United States US-residence compute and storage. Standard SOC 2 control set. FedRAMP-aligned HIPAA scope
Mainland China In-country compute and storage via partner. Cross-border transfer controls per PIPL. PIPL strict
United Kingdom UK-residence compute and storage. UK GDPR baseline. NHS DSP toolkit

Security architecture

Six properties of the operating layer.

  • Encryption

    TLS 1.3 in transit. AES-256 at rest. Key rotation on a 90-day cycle. Customer-managed keys available for sensitive workloads.

  • Access control

    Least-privilege by default. Quarterly access review. SSO/SAML and MFA enforced on all operator accounts. Just-in-time elevation for sensitive operations.

  • Audit trail

    Every prompt, every model output, every operator action, every override. Immutable, queryable, exportable. Retained per engagement contract, minimum twelve months.

  • Kill switch

    Per workload, per model, per user. Halt, throttle or roll back in seconds. Tested quarterly. Not a feature retrofitted before audit: a property of the architecture.

  • Vulnerability management

    Dependency scanning on every build. Quarterly third-party penetration test scheduled from Q3 2026. Patch SLAs aligned to CVSS severity.

  • Operator training

    Annual security and privacy training. Confidentiality and data handling rehearsed on every engagement kick-off. Background checks for senior operators on sensitive engagements.

Incident response

If something breaks, here is what happens.

We treat incident response as part of the operating model, not as a PR exercise. The procedure is documented, rehearsed, and traceable in the audit trail.

  1. 01

    Detect

    Observability on every production workload. Anomaly alerts on token cost, latency, error rate, and unusual prompt patterns. Operator on-call across three time zones.

  2. 02

    Contain

    Kill switch engaged at workload, model or user level. Affected scope identified within thirty minutes. Customer informed via the engagement channel within one hour for material incidents.

  3. 03

    Investigate

    Audit trail walked end-to-end. Root cause documented. Forensic export available to customer security team on request. Coordinated disclosure if regulator notification required.

  4. 04

    Resolve and retire

    Permanent fix shipped with regression test. Lessons-learned memo signed by the named partner. Procedure updated. Customer post-mortem within two business days for material incidents.

Regulator notification timelines (GDPR 72h, DORA 4h major incident, NIS2 24h early warning) are pre-mapped per engagement. The framework is part of the engagement DPA, not a discovery during the incident.

Responsible disclosure

Found a vulnerability? Tell us first.

We welcome coordinated vulnerability disclosure from researchers, customers, and operators. We commit to acknowledge within two business days, triage within five, and publish a coordinated disclosure when fix is shipped.

Report a vulnerability

PGP key available on request. We do not pursue legal action against good-faith security research conducted under the Hikari Blue safe-harbor terms.

Scope

hikariblue.com, hikariblue.com sub-domains, Hikari Blue Ops platform (production), engagement-specific surfaces under explicit authorisation.

Out of scope: third-party sub-processor surfaces (report to vendor directly), DOS attacks, social engineering, physical surfaces.

Privacy & DPA

Privacy is a contract property, not a marketing posture.

  • Privacy notice

    Published. Covers what we collect on hikariblue.com (minimal: theme/language preferences in localStorage, no analytics on visitors by default), how we handle inbound forms (Netlify Forms, routed to Notion via Make), and retention.

    Read the privacy notice

  • Data Processing Agreement (DPA)

    Standard DPA template available on request. Includes engagement-scoped sub-processors annex, Standard Contractual Clauses (EU), and incident notification timelines aligned to GDPR / DORA / NIS2.

    Request the DPA template

  • Sub-processors notification

    Material sub-processor changes notified with thirty-day notice to engagement clients via the contracted communication channel.

  • Data subject requests

    Procedure documented for access, rectification, deletion, portability and objection. Response within thirty days, ten days when statutory.

    direct email

Legal & contractual framework

Published here so the RFP starts at question five. Our MSA template incorporates each of these as a baseline. Sector-specific addenda for Financial Services, Healthcare and Luxury available on request.

  • Liability framework

    Standard cap at the value of the engagement, computed on the executed Statement of Work. Carve-outs for confidentiality breach, gross negligence and IP infringement follow Texas commercial code defaults. Sector-specific uplift available where regulation requires (DORA-scoped engagements, HIPAA-covered work, EU AI Act high-risk classification).

  • IP ownership at exit

    All custom code, custom models, fine-tunes, prompt libraries, runbooks and operating documentation produced under the engagement belong to the client at exit. Hikari Blue retains a non-exclusive licence to internal frameworks and reusable components, listed exhaustively in MSA Appendix A. No black box. No surprise licence fee at handover.

  • Audit rights

    The client is entitled to one scheduled annual audit of Hikari Blue operations relevant to the engagement, plus any regulator-mandated audit (DORA, NIS2, HIPAA, MDR, sector authority). Scope, notice period and confidentiality terms defined in DPA. Cooperation extends to sub-processors via flow-down clauses.

  • MSA template

    Master Services Agreement template available under NDA, in English and French. Includes: services and SOW process, fees and invoicing, IP, confidentiality, data processing (links to DPA), liability cap and carve-outs, term and termination, dispute resolution. Negotiation governance: a named partner reviews any deviation request inside seventy-two hours.

    Request the MSA template under NDA

Insurance & financial posture

Coverage that matches the work we sign.

Certificates and carrier names available under NDA. The summary is published here so RFP review does not stall on insurance attachments.

  • Professional liability (Errors & Omissions)

    Coverage scaled to the typical engagement value bracket. Sector-specific limits available where required by client framework or regulation. Carrier is a Tier-1 international underwriter, named in MSA Appendix B.

  • Cyber liability

    Coverage includes first-party incident response, notification costs, regulatory defence costs, business interruption and third-party claims. Scoped to the technical perimeter of each engagement. Aligned with DORA and NIS2 incident response timelines published in section 5 of this page.

  • General commercial liability

    Standard commercial general liability coverage held against UNITED4 LLC. Certificates of Insurance available to client procurement and risk teams within forty-eight hours of NDA execution.

  • Financial standing

    UNITED4 LLC registered in Texas, USA. Hikari Blue brand founded in Europe in 2016, US trademark registered in 2025. Bank references and current financial standing letter available under NDA. Annual financial report from fiscal year 2026 onward.

    Request insurance and financial pack under NDA

Supply chain security

Build provenance, signed. Keys, customer-held.

The supply chain controls a CISO needs in front of a board, beyond perimeter security and incident response.

  • SBOM per engagement

    Software Bill of Materials generated and signed for every production build of every engagement we sign. Format: SPDX or CycloneDX, client preference. Includes direct and transitive dependencies, license inventory, known CVE status at build time. Delivered with each release and on demand for incident response.

  • SLSA Level 3 by default

    Build pipelines aligned with SLSA Level 3 supply chain integrity: hermetic builds, signed provenance, isolated build environments, two-party review on protected branches. SLSA Level 4 available where the client risk profile and regulator (DORA Article 28, NIS2 Article 21) require it.

  • Customer-managed keys (CMK)

    Supported for production engagements on AWS KMS, Azure Key Vault, GCP KMS and HashiCorp Vault (self-hosted or HCP). Key material remains in client custody at all times. Hikari Blue holds operational role bindings, never key material. Documented in DPA technical annex.

  • Third-party security assessments

    External penetration test summary available under NDA, refreshed on the cycle defined per engagement (annual minimum, quarterly for high-risk workloads). SIG Lite and CAIQ Lite questionnaires available for vendor risk programs. Custom risk questionnaires accepted with forty-eight hour turnaround.

    Request pentest summary and SBOM sample under NDA

Procurement, security, audit teams

The full compliance roadmap is one email away.

Under NDA, we share the full control mapping, the engagement-specific DPA addendum, the security architecture document, and the next twelve months of compliance milestones. A named partner responds within one business day.