Know what Honua secures—and what remains yours.
Last updated: July 11, 2026
Honua Server is customer-managed by default. Honua secures the software and publishes deployment guidance; you control the cloud account, network, data, and runtime configuration unless a signed agreement assigns a responsibility differently.
Security contact
Use security@honua.io for vulnerability reports, security questions, and responsible disclosure coordination. Share enough detail to reproduce the issue — affected version, deployment shape, impact, and clear reproduction steps where possible.
Shared responsibility · customer-managed by default
| Area | Default posture |
|---|---|
| Honua software | Honua provides the application, images, SDKs, security fixes, and deployment guidance for the supported scope. |
| Cloud account & network controls | You configure TLS, WAF rules, allowlists, backups, access to the cloud account, and infrastructure availability unless a signed agreement says otherwise. |
| Admin authentication | Scoped API key by default. Public source implements single-provider OIDC under the Pro entitlement and multi-provider OIDC with custom claim-to-role mapping under Enterprise. OIDC remains off until configured; validate it as source-evaluation functionality before production. |
| Observability & hardening | Honua provides hardening guidance and reference configurations; your deploying team applies and monitors them. |
Data Processing Addendum
DPA availability depends on the engagement model:
- Self-hosted deployments. The customer generally controls the application environment and customer data, so Honua is not the default processor for workload data inside that deployment.
- Commercial support or services. If a commercial engagement requires Honua to process customer personal data, DPA terms can be provided as part of the contract package.
- Managed or hosted offerings. Any future managed-hosting relationship will carry its own specific data-processing terms and security commitments.
- Site data. This website processes evaluation and early-access inquiries, consented analytics and session attribution, and routine hosting and security logs as described in the Privacy notice.
Website security and evaluation
- Current browser policy. Primary pages carry a restrictive meta Content Security Policy on the GitHub Pages host.
- Response-header boundary. The repository defines a fuller edge-delivered header set, including anti-clickjacking and HSTS. GitHub Pages does not apply
_headers; those response-only protections are not claimed as live until the edge deployment passes the live-header check (issue #38). - Public evaluation material. Deployment, procurement, and security boundaries are documented publicly so evaluators can inspect them before a security review.
- License clarity. The runtime, SDKs, mobile tooling, and commercial tiers all have explicit license or availability boundaries.
- Further questions. Email info@honua.io for commercial DPA or procurement follow-up.
Product & supply-chain security
These controls apply to Honua's software-development and release process; they do not replace the controls required in your deployment:
- Secure SDLC. Protected-branch changes use pull requests and repository-specific quality gates. The server build treats warnings as errors and carries architecture and coverage checks.
- Automated scanning. The server runs CodeQL and Trivy lanes; infrastructure repositories run Checkov; Dependabot and secret-scanning controls are configured where repository visibility and GitHub features permit them.
- Supply-chain pipeline. The release pipeline is configured to generate CycloneDX/SPDX bills of materials and keyless-sign the platform manifest and BOM. No promoted public release artifact is linked yet.
- Posture transparency. Selected public repositories publish OpenSSF Scorecard results. OpenSSF Allstar monitors organization-wide repository-policy drift and files issues rather than silently enforcing every setting.
- Coordinated disclosure. See our security policy and security.txt. We aim to acknowledge complete reports within three business days and provide safe harbor for good-faith research.
Standards & self-attestations
Honua's developing control program uses the CSA Cloud Controls Matrix v4 to organize evidence that can also support future SOC 2, ISO 27001, and NIST CSF work. The table below states current status; it is not a certification claim.
| Framework | Status |
|---|---|
| CSA STAR Level 1 (CAIQ self-assessment) | In progress |
| OWASP ASVS (application security) | In progress |
| NIST CSF / CIS Controls v8 alignment | In progress |
| SOC 2 Type II | Planned |
Security teams evaluating Honua can email security@honua.io for our current self-assessments.