Security - Hivelight
At Hivelight, protecting your data is fundamental to everything we build. This page outlines the technical and organisational measures we have in place to keep your information safe.
Data Hosting & Infrastructure
Hivelight is hosted entirely on Amazon Web Services (AWS), one of the world's most trusted and widely used cloud infrastructure providers. We operate dedicated regional deployments so your data stays close to home and subject to local data sovereignty requirements.
| Region | AWS Location | Customers Served |
|---|---|---|
| Asia Pacific (Sydney) | ap-southeast-2 | Australian customers |
| US East (N. Virginia) | us-east-1 | US customers |
Hosting in-region means your data remains within the jurisdiction relevant to your organisation — reducing cross-border transfer risks and supporting compliance with local data protection requirements.
Encryption
At rest
All data stored on Hivelight infrastructure is encrypted at rest using AES-256, the industry-standard symmetric encryption algorithm. AWS S3-managed server-side encryption (SSE-S3) is applied to all stored objects by default.
In transit
All data transmitted between your browser and Hivelight is encrypted using Transport Layer Security (TLS). We enforce a minimum of TLS 1.2 and support TLS 1.3 where your client supports it. Unencrypted HTTP connections are automatically redirected to HTTPS — there is no way to access Hivelight over an unencrypted connection.
Network Security
Content Delivery Network
Hivelight is delivered through Amazon CloudFront, AWS's global content delivery network. CloudFront provides:
- DDoS mitigation at the network edge
- Automatic HTTPS enforcement at every point of presence
- Origin Access Control (OAC) using AWS Signature Version 4 (SigV4) signing — ensuring only CloudFront can access our origin storage directly, with no public S3 exposure
- HTTP/2 and HTTP/3 support for secure, performant connections
Security Headers
Every response served by Hivelight includes the following browser-level security controls:
- HTTP Strict Transport Security (HSTS) — enforces HTTPS for 365 days including subdomains, and participates in browser HSTS preload lists
- Content Security Policy (CSP) — restricts which external scripts, styles, and resources may be loaded in your browser
- X-Content-Type-Options — prevents MIME-type sniffing attacks
- X-Frame-Options: DENY — blocks the site from being embedded in iframes, preventing clickjacking
- Referrer-Policy — limits referrer metadata sent to third parties
- Permissions-Policy — explicitly disables access to camera, microphone, geolocation, and advertising topic APIs
Application Security
Form Protection
All user-facing forms on Hivelight are protected by Google reCAPTCHA v3 to prevent automated abuse and bot submissions. reCAPTCHA tokens are validated server-side before any action is taken.
Secrets Management
API credentials and sensitive configuration (such as reCAPTCHA keys) are stored in AWS Systems Manager Parameter Store — not in application code, environment variables in source control, or configuration files. Secrets are retrieved at runtime by least-privilege Lambda functions.
API Layer
Our form submission and contact APIs run on AWS Lambda — a serverless compute model with no persistent attack surface, automatic scaling, and AWS-managed infrastructure patching.
Responsible Disclosure
If you discover a security vulnerability in Hivelight, please report it to us responsibly before disclosing it publicly. Contact our team at hello@hivelight.com with a description of the issue, steps to reproduce, and any supporting detail. We will acknowledge your report and work to resolve valid issues as quickly as possible.
Questions
If you have any questions about our security practices, please contact us.