// Trust & Security Report

    Hex Technologies Inc. logo

    Hex Technologies Inc.

    AI Analytics Platform

    Certifications held

    8

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    We are audited annually for SOC 2 Type II and HIPAA compliance and are dedicated to safeguarding your data. As evidence of this, we have obtained our SOC 2 Type II report, which attests to the effectiveness and our adherence to security controls and processes.

    Verify on hex.tech
    HIPAA
    HELD

    HIPAA badge listed on trust center. HIPAA add-on available at Enterprise tier. Business Associate Agreements (BAA) signed. Hex introduced HIPAA Multi-Tenant in March 2026 alongside the existing single-tenant HIPAA option.

    Verify on trust.hex.tech
    PCI DSS
    HELD

    PCI badge displayed on trust center (Conveyor-powered). No detailed PCI DSS attestation level, QSA name, or Attestation of Compliance referenced on vendor pages. Scope and SAQ level not disclosed publicly.

    Verify on trust.hex.tech
    GDPR
    HELD

    Hex Technologies Inc. is the controller in respect of the processing of your personal information covered by this Privacy Policy for purposes of European data protection legislation. GDPR badge listed on trust center.

    Verify on learn.hex.tech
    CCPA
    HELD

    Right to Opt Out. You may opt out of the sale or sharing of your personal information... Hex does not sell personal information. CCPA badge listed on trust center.

    Verify on learn.hex.tech
    EU-US Data Privacy Framework (DPF)
    HELD

    EU-US DPF badge listed among 8 compliance badges on trust center. Privacy policy addresses EEA cross-border data transfers.

    Verify on trust.hex.tech
    Swiss-US Data Privacy Framework (DPF)
    HELD

    Swiss-US DPF badge listed among 8 compliance badges on trust center.

    Verify on trust.hex.tech
    UK-US Data Privacy Framework (DPF)
    HELD

    UK-US DPF badge listed among 8 compliance badges on trust center.

    Verify on trust.hex.tech
    > Show 2 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    Coming Soon: 2026: ISO 27001 and ISO 27701

    source: trust.hex.tech
    ISO 27701
    NOT CONFIRMED

    Coming Soon: 2026: ISO 27001 and ISO 27701

    source: trust.hex.tech

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    AWS US default. Separate EU stack available for GDPR-sensitive customers. Single-tenant VPC deployable in any AWS-supported geographic region at Enterprise tier. No true customer-managed self-host.

    Explicitly confirmed not training on customer data via two separate policy pages. Privacy policy: 'Hex does not collect, use, or sell personal information gathered through this Site for the purpose of training large language models or other artificial intelligence models.' Data Privacy FAQ: 'Hex has not opted-in to data sharing with its LLM providers. Hex's LLM providers do not train on customer data.' By default LLM providers do not retain submitted data. Hex employees may review AI inputs/outputs when necessary to fix bugs or improve product reliability only.

    // Security controls

    Encryption at rest

    AES-256. Covers database credentials, file uploads, and cached query results.

    hex.tech

    Encryption in transit

    TLS v1.2 or newer for all network traffic between Hex servers and user browsers.

    hex.tech

    Infrastructure

    AWS. Single-tenant VPC option available in any AWS-supported region for Enterprise customers.

    hex.tech

    Bug bounty

    Private bug bounty program via HackerOne (hackerone.com/hex). Not a public program. Security page directs researchers to HackerOne for vulnerability disclosure.

    hex.tech

    Penetration testing

    Annual third-party penetration testing.

    trust.hex.tech

    SSO and IAM

    Supports Google Apps, Okta, and OIDC SSO. Centralized IAM via identity provider. MFA required for production system access. All access control changes require peer review before deployment.

    hex.tech

    Access control model

    Principle of least privilege. Three-layer control: User Roles, Data Access, Project Access. Customer data access is logged. Only engineers and support staff requiring access for active customer issues can access customer data.

    hex.tech

    Data ephemerality

    Analysis data ephemeral in kernel memory by design. Queries run live against customer warehouse; data does not persist in Hex by default. SQL result caching is opt-in, configurable, stored in S3 for up to 90 days.

    hex.tech

    Application security

    SCA (software composition analysis) and SAST (static application security testing) on all pull requests. Branch protections requiring multiple reviewers. Production deploys via deployment pipelines with system health monitoring.

    hex.tech

    MDM

    Formal mobile device management (MDM) program in place.

    trust.hex.tech

    Cyber insurance

    Has cyber insurance.

    trust.hex.tech

    Disaster recovery

    Has a formal disaster recovery plan.

    trust.hex.tech

    Subprocessors

    Subprocessors list publicly available on trust center (35 documents total).

    trust.hex.tech

    Audit logging

    Audit logs available at Enterprise tier. Agent observability dashboard shows per-user, per-source AI interaction logs.

    hex.tech

    Status page

    Has a public status page.

    trust.hex.tech

    // Products & data scope

    Agentic NotebooksAI-powered data notebook / analyst tool

    data: Direct warehouse queries; results ephemeral in kernel memory by default. Optional SQL caching up to 90 days in AWS S3 (opt-in). Full SOC 2 Type II and HIPAA scope.

    Primary analyst product. Python and SQL cells with agentic AI layer. Supports all data warehouse connections.

    Conversational Self-Serve (Threads)Natural-language BI / conversational data Q&A

    data: Same warehouse connectivity and security controls as notebooks. Accessible via Slack, MCP, and Hex web. AI queries governed by Context Studio semantic models.

    Business-user-facing product. No code required. Answers governed by organization-defined semantic models.

    Context StudioSemantic layer and AI governance

    data: Manages semantic models, endorsed tables, rules, and organizational context used by AI agents. Stores metadata only, no direct data storage.

    Admin and data engineering product for governing AI agent behavior. Includes agent observability dashboard.

    Data Apps and Embedded AnalyticsDashboard publishing and customer-facing analytics

    data: Published apps share outputs without exposing underlying data connections to viewers. Embedded analytics available for customer-facing deployments with secure credential isolation.

    End-user and customer-facing product. Role-based access controls on all artifacts.

    Hex CLIDeveloper tooling

    data: Terminal-based control of Hex workspace resources. Same authentication and authorization controls as web product.

    No additional data exposure beyond standard API access.

    HIPAA Multi-Tenant (Enterprise add-on)Regulated deployment tier

    data: Enhanced controls: restricted internet access, shortened session lifetimes, vetted customer access, BAA signed. Supports PHI workloads on multi-tenant stack.

    Introduced March 2026. Previously BAAs were only available on single-tenant. Lower cost than single-tenant while meeting HIPAA requirements.

    Single-Tenant VPC (Enterprise add-on)Isolated deployment

    data: Exclusive Hex resources in a customer-chosen AWS geographic region. Maximum isolation for stringent regulatory, data residency, or government requirements.

    Fully managed by Hex. Securely peers to customer infrastructure. Supports any AWS-supported region.

    // What to watch

    • PCI badge shown on trust center but no public PCI DSS SAQ level, QSA auditor, or Attestation of Compliance referenced. Procurement teams handling payment card data should request the AoC directly from Hex.
    • ISO 27001 and ISO 27701 listed as 'Coming Soon 2026' on trust center as of assessment date. Not currently certified.
    • HackerOne bug bounty is private, not public. Limits external researcher participation but is appropriate for an enterprise SaaS.
    • Hex employees may review AI inputs/outputs for bug-fixing and product improvement. This is not model training but is a human-review disclosure that regulated customers (HIPAA, finance) should acknowledge.
    • EU-US and UK-US Data Privacy Framework badges shown on trust center. These frameworks face ongoing legal uncertainty in European courts (as of mid-2026); organizations relying solely on DPF for SCCs should monitor status.
    • Data Privacy FAQ confirms LLM providers are third-party (not disclosed which models by default). Customers can use Bring Your Own Key (BYOK) with their own LLM provider for additional control.

    // At a glance

    Pricing model

    Freemium SaaS: Community (free), Professional ($36/editor/month), Team ($75/editor/month), Enterprise (custom). HIPAA add-on and single-tenant VPC are Enterprise-only. SSO available at Team and Enterprise tiers.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Hex Technologies Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.hex.tech

    > Browse all vendor trust reports