1. Certifications and Attestations
Hypersign maintains a portfolio of independent certifications across security, privacy, and biometric standards. To request any of the underlying reports or certificates, email security@hypermine.de. Reports restricted under their issuer's terms (for example, SOC 2 Type 1) are shared after a signed Non-Disclosure Agreement (NDA), the same business day.
| Attestation | Standard / Issuer | Status |
|---|---|---|
| SOC 2 Type 1 | American Institute of Certified Public Accountants (AICPA) Trust Services Criteria — Security, Availability, Confidentiality. Audited by ATOM (independent service auditor). | Audit-ready; certification in progress. |
| ISO/IEC 27001:2022 | Information Security, Cybersecurity, and Privacy Management System. Certified by Bureau Veritas Certification (ENAC-accredited), certificate nº ES144068. | Audit-ready; certification in progress. |
| iBeta Level 1 PAD | ISO/IEC 30107-3 Biometric Presentation Attack Detection, Level 1. Tested by iBeta Quality Assurance (NIST / NVLAP lab code 200962). | Audit-ready; certification in progress. |
| Government Sandbox Attestation | Spanish financial sandbox (Ley 7/2020), reviewed by CNMV and SEPBLAC. Public conclusion report published on tesoro.es (February 2026). | Audit-ready; certification in progress. |
| EBA / MiCA Adequacy Memo | European Banking Authority Guidelines on remote customer onboarding (EBA/GL/2022/15) + EU AML Single Rulebook + MiCA Regulation. Independent legal opinion by finReg360. | Audit-ready; certification in progress. |
| GDPR Article 32 | EU General Data Protection Regulation (Regulation (EU) 2016/679). Self-assessed; supported by ISO/IEC 27001 controls and the Data Processing Agreement. | Continuous. |
| DPDP Act, 2023 | India's Digital Personal Data Protection Act, 2023. Governs the processing of digital personal data of individuals within India and applies to Hypersign's Asia-Pacific operations handled by Hypermine Technologies Private Ltd. | Continuous. |
| UAE Federal Data Protection Law | UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection. Applies to Hypersign's Middle East and Africa operations handled by Hypermine MEA FZCO, Dubai Silicon Oasis. | Continuous. |
2. Scope
This policy covers all Hypersign personnel (employees, contractors, and authorised third parties), all Hypersign production and corporate information systems, and the customer-facing Services described in the Business Terms and Conditions. It is supported by the Statement of Applicability that anchors Hypersign's ISO/IEC 27001:2022 management system.
3. Governance
- Information Security and Privacy Management System aligned to ISO/IEC 27001:2022 and ISO/IEC 27701 controls, with a documented Statement of Applicability.
- Chief Technology Officer is the named information-security executive sponsor; the Data Protection Officer (dpo@hypermine.de) owns privacy programme governance.
- Annual external security audit by independent auditors (ISO 27001 surveillance and SOC 2 examinations).
- Risk register reviewed and refreshed quarterly. Material risks are escalated to the management committee.
- Continuous improvement: every incident, audit finding, and risk assessment feeds the corrective-action backlog and the next policy refresh.
4. Encryption and Key Management
At Rest
AES-256 across every production database, object store, and backup volume.
In Transit
TLS 1.3 for every external API call, webhook, and Business Console session. Older TLS versions and weak ciphers are disabled. HTTP Strict Transport Security (HSTS) is enforced site-wide and preloaded.
Key Management
Google Cloud Key Management Service (Cloud KMS) holds and rotates the keys. Application code never touches raw key material. Sandbox and production keys are fully separated.
Hashing
Customer credentials are hashed with industry-standard adaptive functions (bcrypt or equivalent). API keys are stored as one-way hashes; the raw value is shown to the operator only at creation time.
5. Identity, Access, and Zero-Trust Architecture
- Zero-trust by default: every request to every internal system is authenticated and authorised. There is no implicit trust based on network location.
- Role-based access control (RBAC) with the principle of least privilege. Access reviews are run quarterly.
- Multi-Factor Authentication (MFA) is mandatory for every employee, every production system, every cloud console, and every code-hosting account.
- Single Sign-On (SSO) for internal applications, with hardware-token MFA for privileged roles.
- Just-in-Time access for production: standing privileged access is the exception, not the rule.
- Audit logging: every privileged action is logged to a tamper-evident, write-once audit pipeline retained for at least 12 months.
6. Data Residency and Segregation
European Union by Default
Production data is processed and stored in the European Union on Amazon Web Services (default region: eu-central-1, Frankfurt). Specific-region or in-country residency is available on Enterprise contracts, subject to availability, for jurisdictions whose regulators require it.
Environment Separation
Sandbox, staging, and production are isolated at the network, identity, and key-management layers. No human or service in one environment can read data in another without an explicit, audited access path.
Tenant Separation
Multi-tenant data is logically separated with per-tenant encryption keys where applicable. Cross-tenant queries are blocked at the application and database layer.
7. Secure Development Lifecycle (SDLC)
- Code review is required for every production change. No single engineer can merge unreviewed code to production.
- Static Application Security Testing (SAST), dependency scanning, and Software Composition Analysis (SCA) run automatically on every pull request.
- Container and infrastructure scanning on every build and on a recurring schedule for deployed images.
- Pre-production security testing for high-impact changes (authentication, key management, biometric pipelines, payment flows).
- Internal penetration tests continuously; external penetration tests at least once per year by independent specialists. Material findings are tracked to closure on an SLA-bound schedule.
- Bug-bounty / responsible-disclosure channel: report security issues to security@hypermine.de.
8. Vulnerability Management
Patching SLA by Severity
| Severity | Patching Deadline |
|---|---|
| Critical | Within 72 hours of vendor disclosure |
| High | Within 7 days |
| Medium | Within 30 days |
| Low | Within 90 days |
- Continuous vulnerability scanning across production infrastructure, containers, and dependencies.
- Threat modelling for new product surfaces, biometric pipelines, and cross-environment integrations.
9. Monitoring, Detection, and Incident Response
- 24×7 monitoring of every production system with alerting on availability, error, and security signals.
- Security Information and Event Management (SIEM) aggregates and correlates security events; abnormal patterns escalate to on-call security engineers.
- Documented Incident Response Plan with named roles, communication tree, severity matrix, and post-incident review process. The plan is tested at least annually via tabletop exercises.
- Personal data breach notification. Hypersign notifies affected customers without undue delay and in any case in time to allow customers to meet their own 72-hour notification obligation under GDPR Article 33. Enterprise customers receive a named engineer on call and a dedicated communication channel.
- Public status page at status.hypersign.id — every production incident, every post-mortem, no login required.
10. Business Continuity and Disaster Recovery
- Multi-AZ active redundancy in every production region; automatic failover for stateless services.
- Backups are encrypted, geographically separated within the chosen residency boundary, and tested on a recurring schedule.
- Recovery Point Objective (RPO) ≤ 1 hour and Recovery Time Objective (RTO) ≤ 4 hours for the core verification API and Business Console. Full commitments are set out in the Service Level Agreement.
- Disaster Recovery (DR) tests at least annually.
11. Personnel Security
- Background checks on every employee and every contractor with access to production data or personal data, where permitted by applicable law.
- Confidentiality agreements at hire for every employee and contractor.
- Mandatory security and privacy training at onboarding and refreshed at least annually for every employee. Targeted training (secure coding, biometric data handling, anti-fraud, anti-money-laundering) for the roles that need it.
- Phishing simulations on a recurring schedule.
- Joiner / mover / leaver process revokes access within 24 hours of role change or departure.
12. Vendor and Sub-Processor Management
- Every sub-processor is risk-assessed before onboarding and re-reviewed at least annually.
- Every sub-processor signs a Data Processing Agreement (DPA) imposing data-protection obligations substantially similar to those Hypersign owes its own customers (see Annex 2 of the Business Terms).
- The current sub-processor list is shared with customers and prospective customers via email after a Non-Disclosure Agreement (NDA) is signed. Email security@hypermine.de to request it. Customers subscribed to sub-processor change notifications are notified by email with sufficient advance notice to object.
13. Data Subject Rights and Deletion
- Right of access and portability: session data and verification decisions are accessible via the Hypersign API and the Business Console at any time.
- Right to erasure: any verification session and every linked artefact can be permanently deleted via the API or the Business Console, removing the record across every replica on the next refresh cycle.
- Configurable retention: per-application retention is configurable in the Business Console between 30 days and 10 years; the default is indefinite unless the customer configures a shorter period. Biometric data retention is in every case subject to, and capped by, applicable biometric-privacy laws and regulations, including GDPR Article 9, the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), Washington H.B. 1493, and any other applicable biometric-privacy law; where such law prescribes a shorter retention period or an earlier destruction obligation, that shorter or stricter rule prevails over any default or customer-configured retention period.
See the Privacy Policy and Verification Privacy Notice for the full data-subject-rights process.
14. Reporting a Security Issue
If you believe you have found a security vulnerability in any Hypersign product or service, email security@hypermine.de with a description, reproduction steps, and the impact you observed. Hypersign acknowledges security reports within 2 business days and works in good faith with reporters who follow responsible-disclosure practices.
To request a trust pack (SOC 2 Type 1 report, ISO 27001 certificate, iBeta PAD report, or government sandbox conclusion), email security@hypermine.de. Reports are shared under a signed NDA, the same business day.
15. Contact
Reach the correct team directly — no ticket queues for security, privacy, or legal matters.