Security Policy
Last Updated: January 12, 2026
This Security Policy describes the security principles, controls, and practices implemented by Hexel Studio, Inc. ("Hexel," "Company," "we," "us") to protect the confidentiality, integrity, and availability of the Hexel Studio platform and customer data.
This Security Policy is incorporated by reference into the Terms and Conditions and applies to all Services.
1. Security Philosophy
Hexel Studio is designed as enterprise infrastructure, not a consumer application. Security is treated as a foundational system property, not a feature.
Our core principles are:
- Governance before intelligence
- Explicit permissions over implicit trust
- Auditability over convenience
- Isolation over shared risk
- Fail-safe defaults over permissive behavior
3. Identity and Access Management
Hexel enforces strict identity and access controls, including:
- Role-based access control (RBAC)
- Environment-scoped permissions
- Least-privilege defaults
- Credential rotation and revocation mechanisms
Access to sensitive operations may require explicit approval workflows.
4. Environment Isolation
Hexel employs logical isolation across:
- Organizations
- Workspaces
- Environments (e.g., production, staging, sandbox)
Agents, data sources, and knowledge stores are scoped to environments. Cross-environment access is prohibited unless explicitly authorized.
5. Data Security
5.1 Encryption
- Data is encrypted in transit using industry-standard protocols
- Data at rest is encrypted using strong encryption algorithms
5.2 Data Access
- Access to customer data is limited to authorized systems and personnel
- Internal access is logged and monitored
- Customer data is never accessed for purposes outside service delivery and support
6. Logging, Monitoring, and Auditability
Hexel maintains comprehensive logging, including:
- Authentication and access events
- Agent execution traces
- Action requests and approvals
- Errors and system events
Logs are designed to be immutable and tamper-resistant to support forensic analysis.
7. Agent Execution Safety
Agents operate under:
- Explicit permissions
- Policy enforcement
- Action gating
- Continuous observability
Agents cannot execute actions outside defined constraints. Silent or unlogged actions are not permitted.
8. Vulnerability Management
Hexel maintains a vulnerability management program that includes:
- Regular security assessments
- Dependency monitoring
- Patch management
- Secure configuration practices
Identified vulnerabilities are prioritized and remediated based on risk.
9. Incident Response
Hexel maintains an incident response process to:
- Detect and analyze security incidents
- Contain and mitigate impact
- Restore normal operations
- Notify affected customers as required by law or contract
Incident response activities are documented and reviewed.
10. Subprocessors and Third Parties
Hexel may use subprocessors to provide infrastructure or services. Subprocessors are:
- Evaluated for security practices
- Contractually required to protect data
- Subject to ongoing oversight
A list of subprocessors is made available separately.
11. Business Continuity and Resilience
Hexel designs systems to support:
- Fault tolerance
- Redundancy where appropriate
- Controlled recovery from failures
While high availability is a goal, no uptime guarantees are made unless expressly agreed.
12. Compliance and Certifications
Hexel aligns its security practices with recognized industry standards and frameworks. However, unless expressly stated in writing, Hexel does not represent that it holds specific certifications.
13. Customer Security Reviews
Hexel may provide reasonable information to support customer security assessments, subject to confidentiality and security considerations.
14. Policy Updates
Hexel may update this Security Policy from time to time. Continued use of the Services constitutes acceptance of the updated policy.
15. Contact Information
Security-related inquiries may be directed to: