Honua
// security & DPA

Know what Honua secures—and what remains yours.

Last updated: July 11, 2026

Honua Server is customer-managed by default. Honua secures the software and publishes deployment guidance; you control the cloud account, network, data, and runtime configuration unless a signed agreement assigns a responsibility differently.

Security contact

Use security@honua.io for vulnerability reports, security questions, and responsible disclosure coordination. Share enough detail to reproduce the issue — affected version, deployment shape, impact, and clear reproduction steps where possible.

Shared responsibility · customer-managed by default

Shared security responsibility for a customer-managed Honua deployment
AreaDefault posture
Honua softwareHonua provides the application, images, SDKs, security fixes, and deployment guidance for the supported scope.
Cloud account & network controlsYou configure TLS, WAF rules, allowlists, backups, access to the cloud account, and infrastructure availability unless a signed agreement says otherwise.
Admin authenticationScoped API key by default. Public source implements single-provider OIDC under the Pro entitlement and multi-provider OIDC with custom claim-to-role mapping under Enterprise. OIDC remains off until configured; validate it as source-evaluation functionality before production.
Observability & hardeningHonua provides hardening guidance and reference configurations; your deploying team applies and monitors them.

Data Processing Addendum

DPA availability depends on the engagement model:

Website security and evaluation

Product & supply-chain security

These controls apply to Honua's software-development and release process; they do not replace the controls required in your deployment:

Standards & self-attestations

Honua's developing control program uses the CSA Cloud Controls Matrix v4 to organize evidence that can also support future SOC 2, ISO 27001, and NIST CSF work. The table below states current status; it is not a certification claim.

Standards & self-attestations table
FrameworkStatus
CSA STAR Level 1 (CAIQ self-assessment)In progress
OWASP ASVS (application security)In progress
NIST CSF / CIS Controls v8 alignmentIn progress
SOC 2 Type IIPlanned

Security teams evaluating Honua can email security@honua.io for our current self-assessments.