Platform · Trust Layer

The security foundation for everything you do.

Every byte encrypted. Every tenant isolated. Every action logged. Every region controlled.

See our security architecture Full Trust Center
Certifications and posture

Compliance-ready from day one.

HubSecure is designed for regulated environments. Current controls are aligned to GDPR and NIS2; ISO 27001 and SOC 2 are in progress.

GDPR
Aligned controls
NIS2
Ready
SOC 2
Planned · Q3 2026
ISO 27001
In progress · 2026
HIPAA
Ready controls
Post-Quantum
ML-KEM-768 ready
HydraShield

Post-quantum encryption, built in Rust.

HydraShield is HubSecure's proprietary cipher suite — a Rust-native security layer that wraps every module with post-quantum key encapsulation and authenticated encryption.

ML-KEM-768 — quantum-safe key encapsulation

HydraShield uses ML-KEM-768 (NIST FIPS 203, standardised 2024) for key encapsulation across all protected communication paths. RSA and classic ECDH are vulnerable to harvest-now-decrypt-later attacks. HubSecure is already quantum-safe.

Proprietary Rust cipher suite HydraShield is implemented in Rust for memory safety, zero overhead and no runtime exceptions. Used as a binary in all HubSecure services.
ML-KEM-768 key encapsulation NIST FIPS 203 standard. Selected for balance between security level (128-bit post-quantum) and performance. No RSA fallback.
Used across all communication modules Secure Mail, ShieldChat, IoT device communication and Sheets all use HydraShield for E2EE. One cipher suite, consistently applied.
AES-256-GCM at rest All tenant data encrypted with AES-256-GCM. Per-tenant data encryption keys wrapped by HSM-held key encryption keys that never leave hardware.
The quantum threat timeline
Now
Nation-state actors archive encrypted traffic today — "harvest now, decrypt later". Long-lived confidential data is already at risk.
2030–35
RSA and classic ECDH key exchange become vulnerable to quantum computers. Legacy-encrypted archives become readable.
Today
HubSecure already uses ML-KEM-768. Your communications are protected against future quantum decryption — not just today's threats.
Architecture

Zero-trust, tenant-isolated by construction.

No shared databases, no shared keys. Every request passes through signature verification, tenant boundary checks and RBAC before any data is touched.

Client Browser / mobile
TLS 1.3 only
E2EE Transport ML-KEM-768
HydraShield
Gateway Signed headers
JWT + timestamp
Service Tenant isolation
RBAC enforced
Encrypted Storage AES-256-GCM
HSM key wrap
Defence in depth

Four pillars, no shortcuts.

Encryption
  • ML-KEM-768 post-quantum key encapsulation
  • AES-256-GCM at rest, per-tenant DEK
  • TLS 1.3 in transit — no 1.2 fallback
  • Per-file Vault encryption + HSM KEK
Isolation
  • Separate tenant schema per client
  • Per-tenant data encryption keys
  • No cross-tenant queries, ever
  • Row-level security enforced at DB layer
Auditability
  • Every action logged with actor + timestamp
  • Immutable audit trail — no retroactive edits
  • Exportable evidence packages for regulators
  • Admin, AI and support actions separately logged
Sovereignty
  • EU data residency — no CLOUD Act exposure
  • Regional deployment options
  • Data never leaves your chosen region
  • GDPR Article 46 transfer mechanisms included
Data residency

Your data, your region.

HubSecure stores data in your chosen region. EU infrastructure is the default for European customers. No data transits to jurisdictions outside your control.

EU default

European infrastructure available Q3 2026. All regulated EU customers will be migrated ahead of NIS2 enforcement deadlines.

No CLOUD Act exposure

HubSecure does not use US-based infrastructure for EU customer data. No US-jurisdiction cloud provider holds your tenant data.

Regional deployment

Enterprise plans include single-region deployment options with dedicated infrastructure for healthcare, finance and legal customers.

Trust Layer

See our security architecture in a 30-minute review.

Get a security-led walkthrough of HydraShield encryption, tenant isolation, audit logging and data residency — tailored to your compliance requirements.

See our security architecture → Full Trust Center

ML-KEM-768 · AES-256-GCM · TLS 1.3 · Tenant isolation · EU residency · GDPR-aligned