Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.hexr.dev/llms.txt

Use this file to discover all available pages before exploring further.

Hexr’s architecture is designed with compliance readiness built in. The same controls that secure your agents — SPIFFE identity, OPA policies, encrypted transit and storage, and complete audit trails — also map directly to the requirements of major compliance frameworks. This page shows how each Hexr control satisfies specific framework requirements, so you can accelerate your own compliance process.

Compliance readiness at a glance

FrameworkStatusKey controls
SOC 2 Type IIArchitecture readyEncryption at rest and in transit, audit logging, SPIFFE-based access controls
NIST AI RMFArchitecture readyAgent discovery, metrics, policy management, identity governance
GDPRArchitecture readyTenant data isolation, encryption, PII scanning, right to deletion support
HIPAAArchitecture readyPHI isolation, complete audit trails, AES-256-GCM encryption
FedRAMPSelf-hosted air-gappedAir-gapped deployment support, FIPS-compatible cryptography

Key controls

Encryption

Data stateMethod
In transitmTLS using SPIFFE SVIDs — all service-to-service communication
At rest (secrets)AES-256-GCM (Hexr Vault)
At rest (database)PostgreSQL with storage-level encryption
At rest (cache)Valkey in-cluster only — no external network access

Access control

ControlImplementation
IdentitySPIFFE per-process identity — no shared credentials between agents
AuthenticationmTLS with X.509-SVIDs + API key authentication for management APIs
AuthorizationOPA policies evaluated at every service boundary
Tenant isolationKubernetes namespace isolation — one namespace per tenant
Data isolationSPIFFE-scoped secret access — agents cannot read other agents’ secrets

Audit logging

CapabilityImplementation
Request loggingEvery request traced via OpenTelemetry with full agent identity context
Credential accessEvery STS exchange logged with SPIFFE ID, service, and timestamp
Secret accessEvery Vault read and write logged
LLM interactionsEvery prompt and response logged (configurable retention)
Configuration changesKubernetes audit logging

Framework mappings

SOC 2 Type II

Control areaHexr implementation
CC6.1 Logical accessSPIFFE identity, OPA policies, mTLS on all service boundaries
CC6.2 User authenticationSPIFFE SVIDs (X.509), API key authentication for management
CC6.3 Access authorizationOPA per-process policies, role-based credential scoping
CC6.6 System boundariesKubernetes namespaces, Firecracker microVMs for code execution
CC7.1 MonitoringOpenTelemetry traces, Prometheus metrics, Grafana dashboards
CC7.2 Incident responseAudit logs, immediate credential revocation via SPIRE entry deletion
CC8.1 Change managementhexr build reproducible artifacts, hexr audit drift detection

NIST AI Risk Management Framework

FunctionHexr implementation
GOVERNTenant isolation, role-based access, API key management, policy governance
MAPhexr build AST analysis maps all agent capabilities before deployment
MEASUREOpenTelemetry metrics, per-agent cost attribution, LLM Guard statistics
MANAGEDashboard, OPA policies, credential rotation, complete audit trail

GDPR

RequirementHexr implementation
Data minimizationPer-process credential scoping — agents access only what they declare
EncryptionAES-256-GCM (Vault secrets), mTLS (all transit)
Access controlsSPIFFE identity + OPA policies on every operation
Audit trailOpenTelemetry traces on every data operation
PII protectionLLM Guard PII scanner on all LLM inputs and outputs

HIPAA

SafeguardHexr implementation
Access controlsSPIFFE + OPA + Kubernetes namespace isolation
Audit controlsOpenTelemetry traces, structured logs via Loki
Transmission securitymTLS everywhere — TLS 1.3 minimum
EncryptionAES-256-GCM at rest, TLS 1.3 in transit
Hexr’s self-hosted deployment supports air-gapped environments for FedRAMP and other air-gap requirements. See self-hosted deployment for configuration details.