SECURITY
Last updated: March 1, 2026At Hermes, security is foundational to everything we build. We understand that our customers trust us with their creative assets, proprietary data, and intellectual property. This page outlines our security practices, infrastructure protections, and commitment to safeguarding your data.
1. INFRASTRUCTURE & HOSTING
Hermes is hosted on enterprise-grade cloud infrastructure with data centers across multiple geographic regions. Our infrastructure leverages automatic scaling, redundancy, and failover systems to ensure high availability. All production systems run in isolated virtual private clouds with strict network segmentation. We employ defense-in-depth strategies including web application firewalls, DDoS protection, and intrusion detection systems. Our infrastructure is continuously monitored with automated alerting for anomalous activity, resource utilization spikes, and potential security events. We maintain 99.9% uptime SLA for production services.
2. ENCRYPTION & DATA PROTECTION
All data transmitted between your device and Hermes is encrypted using TLS 1.3. We enforce HSTS headers and support only modern cipher suites. Certificate pinning is implemented in our mobile applications. Data at rest is encrypted using AES-256 encryption. Database backups are encrypted and stored in geographically separate locations. Encryption keys are managed through a dedicated key management service with automatic rotation. Sensitive credentials and API keys are stored in hardware security modules (HSMs). We never store passwords in plaintext — all passwords are hashed using bcrypt with per-user salts.
3. COMPLIANCE & CERTIFICATIONS
Hermes is committed to meeting industry-standard compliance requirements. We are currently pursuing SOC 2 Type II certification and conduct annual third-party security audits. We comply with GDPR for European users, CCPA for California residents, and other applicable data protection regulations. Our data processing agreements are available upon request for enterprise customers. All employees undergo background checks and mandatory security training upon hiring and annually thereafter. Access to production systems follows the principle of least privilege with mandatory multi-factor authentication.
4. INCIDENT RESPONSE
We maintain a comprehensive incident response plan that is tested and updated regularly. Our incident response team is available 24/7 and follows a structured process for detection, containment, eradication, and recovery. In the event of a security incident that affects your data, we will notify affected users within 72 hours in accordance with applicable regulations. Notifications will include the nature of the incident, affected data, steps taken, and recommended actions. We conduct post-incident reviews for all security events to identify root causes and implement preventive measures. Lessons learned are documented and incorporated into our security practices.
5. VULNERABILITY REPORTING
We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue, please report it to security@hermes.do. We ask that you: Provide detailed information about the vulnerability, including steps to reproduce. Allow reasonable time for us to investigate and address the issue before public disclosure. Do not access, modify, or delete other users' data during your research. We commit to acknowledging reports within 24 hours, providing an initial assessment within 5 business days, and keeping you informed of our progress. We do not pursue legal action against researchers who follow responsible disclosure practices. For critical vulnerabilities, we offer recognition in our security hall of fame. Contact security@hermes.do to learn more about our responsible disclosure program.