// Trust & Security Report
Hex Technologies Inc.
AI Analytics Platform
Certifications held
8
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on hex.tech“We are audited annually for SOC 2 Type II and HIPAA compliance and are dedicated to safeguarding your data. As evidence of this, we have obtained our SOC 2 Type II report, which attests to the effectiveness and our adherence to security controls and processes.”
Verify on trust.hex.tech“HIPAA badge listed on trust center. HIPAA add-on available at Enterprise tier. Business Associate Agreements (BAA) signed. Hex introduced HIPAA Multi-Tenant in March 2026 alongside the existing single-tenant HIPAA option.”
Verify on trust.hex.tech“PCI badge displayed on trust center (Conveyor-powered). No detailed PCI DSS attestation level, QSA name, or Attestation of Compliance referenced on vendor pages. Scope and SAQ level not disclosed publicly.”
Verify on learn.hex.tech“Hex Technologies Inc. is the controller in respect of the processing of your personal information covered by this Privacy Policy for purposes of European data protection legislation. GDPR badge listed on trust center.”
Verify on learn.hex.tech“Right to Opt Out. You may opt out of the sale or sharing of your personal information... Hex does not sell personal information. CCPA badge listed on trust center.”
Verify on trust.hex.tech“EU-US DPF badge listed among 8 compliance badges on trust center. Privacy policy addresses EEA cross-border data transfers.”
Verify on trust.hex.tech“Swiss-US DPF badge listed among 8 compliance badges on trust center.”
Verify on trust.hex.tech“UK-US DPF badge listed among 8 compliance badges on trust center.”
> Show 2 unconfirmed / not-held certifications
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
AWS US default. Separate EU stack available for GDPR-sensitive customers. Single-tenant VPC deployable in any AWS-supported geographic region at Enterprise tier. No true customer-managed self-host.
Explicitly confirmed not training on customer data via two separate policy pages. Privacy policy: 'Hex does not collect, use, or sell personal information gathered through this Site for the purpose of training large language models or other artificial intelligence models.' Data Privacy FAQ: 'Hex has not opted-in to data sharing with its LLM providers. Hex's LLM providers do not train on customer data.' By default LLM providers do not retain submitted data. Hex employees may review AI inputs/outputs when necessary to fix bugs or improve product reliability only.
// Security controls
Encryption at rest
AES-256. Covers database credentials, file uploads, and cached query results.
hex.techEncryption in transit
TLS v1.2 or newer for all network traffic between Hex servers and user browsers.
hex.techInfrastructure
AWS. Single-tenant VPC option available in any AWS-supported region for Enterprise customers.
hex.techBug bounty
Private bug bounty program via HackerOne (hackerone.com/hex). Not a public program. Security page directs researchers to HackerOne for vulnerability disclosure.
hex.techSSO and IAM
Supports Google Apps, Okta, and OIDC SSO. Centralized IAM via identity provider. MFA required for production system access. All access control changes require peer review before deployment.
hex.techAccess control model
Principle of least privilege. Three-layer control: User Roles, Data Access, Project Access. Customer data access is logged. Only engineers and support staff requiring access for active customer issues can access customer data.
hex.techData ephemerality
Analysis data ephemeral in kernel memory by design. Queries run live against customer warehouse; data does not persist in Hex by default. SQL result caching is opt-in, configurable, stored in S3 for up to 90 days.
hex.techApplication security
SCA (software composition analysis) and SAST (static application security testing) on all pull requests. Branch protections requiring multiple reviewers. Production deploys via deployment pipelines with system health monitoring.
hex.techSubprocessors
Subprocessors list publicly available on trust center (35 documents total).
trust.hex.techAudit logging
Audit logs available at Enterprise tier. Agent observability dashboard shows per-user, per-source AI interaction logs.
hex.tech// Products & data scope
data: Direct warehouse queries; results ephemeral in kernel memory by default. Optional SQL caching up to 90 days in AWS S3 (opt-in). Full SOC 2 Type II and HIPAA scope.
Primary analyst product. Python and SQL cells with agentic AI layer. Supports all data warehouse connections.
data: Same warehouse connectivity and security controls as notebooks. Accessible via Slack, MCP, and Hex web. AI queries governed by Context Studio semantic models.
Business-user-facing product. No code required. Answers governed by organization-defined semantic models.
data: Manages semantic models, endorsed tables, rules, and organizational context used by AI agents. Stores metadata only, no direct data storage.
Admin and data engineering product for governing AI agent behavior. Includes agent observability dashboard.
data: Published apps share outputs without exposing underlying data connections to viewers. Embedded analytics available for customer-facing deployments with secure credential isolation.
End-user and customer-facing product. Role-based access controls on all artifacts.
data: Terminal-based control of Hex workspace resources. Same authentication and authorization controls as web product.
No additional data exposure beyond standard API access.
data: Enhanced controls: restricted internet access, shortened session lifetimes, vetted customer access, BAA signed. Supports PHI workloads on multi-tenant stack.
Introduced March 2026. Previously BAAs were only available on single-tenant. Lower cost than single-tenant while meeting HIPAA requirements.
data: Exclusive Hex resources in a customer-chosen AWS geographic region. Maximum isolation for stringent regulatory, data residency, or government requirements.
Fully managed by Hex. Securely peers to customer infrastructure. Supports any AWS-supported region.
// What to watch
- PCI badge shown on trust center but no public PCI DSS SAQ level, QSA auditor, or Attestation of Compliance referenced. Procurement teams handling payment card data should request the AoC directly from Hex.
- ISO 27001 and ISO 27701 listed as 'Coming Soon 2026' on trust center as of assessment date. Not currently certified.
- HackerOne bug bounty is private, not public. Limits external researcher participation but is appropriate for an enterprise SaaS.
- Hex employees may review AI inputs/outputs for bug-fixing and product improvement. This is not model training but is a human-review disclosure that regulated customers (HIPAA, finance) should acknowledge.
- EU-US and UK-US Data Privacy Framework badges shown on trust center. These frameworks face ongoing legal uncertainty in European courts (as of mid-2026); organizations relying solely on DPF for SCCs should monitor status.
- Data Privacy FAQ confirms LLM providers are third-party (not disclosed which models by default). Customers can use Bring Your Own Key (BYOK) with their own LLM provider for additional control.
// At a glance
Pricing model
Freemium SaaS: Community (free), Professional ($36/editor/month), Team ($75/editor/month), Enterprise (custom). HIPAA add-on and single-tenant VPC are Enterprise-only. SSO available at Team and Enterprise tiers.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Hex Technologies Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.hex.tech