security@honua.io
Use this address for vulnerability reports, security questions, and responsible disclosure coordination.
Security and DPA
Clear security contact, clear deployment boundary, clear data-processing posture.
Honua is primarily a customer-managed deployment model today. That changes the security and data-processing posture: customers run the product in their own environment unless a separate commercial agreement states otherwise.
Security Contact
Report security concerns directly.
Expectation
Share enough detail to reproduce the issue.
Include affected version, deployment shape, impact, and clear reproduction steps where possible.
Deployment Security Model
Customer-managed by default.
| Area | Default posture |
|---|---|
| Application runtime | Honua provides the application, images, SDKs, and deployment guidance. |
| Cloud account and network controls | The customer owns cloud configuration, TLS, WAF, allowlists, backups, and infrastructure availability unless a separate agreement says otherwise. |
| Admin authentication | API key by default, optional OIDC bearer-token flow for browser-based admin access. |
| Observability and hardening | Honua publishes the controls and reference patterns, while the operator implements them in the target environment. |
Data Processing Addendum
DPA availability depends on the engagement model.
Self-hosted deployments
The customer generally controls the application environment and customer data, so Honua is not the default processor for workload data inside that deployment.
Commercial support or services
If a commercial engagement requires Honua to process customer personal data, DPA terms can be provided as part of the contract package.
Managed or hosted offerings
Any future managed-hosting relationship will carry its own specific data-processing terms and security commitments.
Site data
This public website only handles contact-form submissions and optional analytics after cookie consent.
Public Security Posture
What is already public.
Security headers
The site artifact ships with CSP and related security-header policy, and live edge enforcement is part of deployment validation.
Open documentation
Deployment, procurement, and security posture are documented publicly so customers can evaluate the platform without custom decks.
License clarity
The runtime, SDKs, mobile tooling, and private operator layer all have explicit license or availability boundaries.
Further questions
Email mike@honua.io for commercial DPA or procurement follow-up.