Clear security contact, clear deployment boundary, clear data-processing posture.
Honua is primarily a customer-managed deployment model today. That changes the security and data-processing posture: customers run the product in their own environment unless a separate commercial agreement states otherwise.
Security contact
Use security@honua.io for vulnerability reports, security questions, and responsible disclosure coordination. Share enough detail to reproduce the issue — affected version, deployment shape, impact, and clear reproduction steps where possible.
Deployment security model · customer-managed by default
| Area | Default posture |
|---|---|
| Application runtime | Honua provides the application, images, SDKs, and deployment guidance. |
| Cloud account & network controls | The customer owns cloud configuration, TLS, WAF, allowlists, backups, and infrastructure availability unless a separate agreement says otherwise. |
| Admin authentication | API key by default, optional OIDC bearer-token flow for browser-based admin access. |
| Observability & hardening | Honua provides hardening guides and reference configurations; the deploying team applies them in their own environment. |
Data Processing Addendum
DPA availability depends on the engagement model:
- Self-hosted deployments. The customer generally controls the application environment and customer data, so Honua is not the default processor for workload data inside that deployment.
- Commercial support or services. If a commercial engagement requires Honua to process customer personal data, DPA terms can be provided as part of the contract package.
- Managed or hosted offerings. Any future managed-hosting relationship will carry its own specific data-processing terms and security commitments.
- Site data. This public website only handles contact-form submissions and optional analytics after cookie consent.
Public security posture
- Security headers. The site includes Content Security Policy and security headers in its build output. Header enforcement at the CDN edge is verified during deployment.
- Open documentation. Deployment, procurement, and security posture are documented publicly so customers can evaluate the platform without custom decks.
- License clarity. The runtime, SDKs, mobile tooling, and commercial tiers all have explicit license or availability boundaries.
- Further questions. Email mike@honua.io for commercial DPA or procurement follow-up.