Your business data is safe with Hapax.
SOC 2 Type II Certified
Independently audited security controls
Trusting AI with your business means trusting the platform it runs on. Hapax was built from the ground up with security at its core — not bolted on as an afterthought. Every agent action is tracked, every sensitive piece of data is protected, and your team stays in control of what AI can and can't do.
Whether you're a growing team or a large enterprise, Hapax gives you the confidence to put AI to work without worrying about what it might do with your data.
Sensitive data stays protected — automatically
Hapax automatically detects sensitive information like social security numbers, credit cards, bank accounts, phone numbers, and more — and protects it before it ever reaches an agent's output. Your team doesn't have to think about it. It just works.
Admins can fine-tune how each type of sensitive data is handled. Want SSNs fully hidden but emails just masked? Need certain teams to reveal protected data when required? You set the rules, and Hapax enforces them — with a full log of every time protected data is accessed.
- ● Detects SSNs, credit cards, bank accounts, phone numbers, emails, and more
- ● Multiple protection levels — from light masking to full redaction
- ● Configurable per data type, per team
- ● Every reveal is logged for accountability
Humans stay in the loop when it matters
Some things shouldn't happen without a person signing off. Hapax lets your team decide exactly which agent actions need human approval before they execute — whether that's sending an email, updating a record, or connecting to an external tool.
Admins set company-wide approval policies, and individual users can add their own preferences on top. When an agent hits an action that requires approval, it pauses and waits. No surprises, no unauthorized actions.
- ● Company-wide approval policies set by admins
- ● Users can add their own approval preferences
- ● Per-action or per-session approval options
- ● Agents pause and wait — they never skip the gate
Guardrails your team defines
Every business has different rules about what AI should and shouldn't do. Hapax guardrails let your admins create policies that agents follow — and when a guardrail is triggered, the right people get notified.
Guardrails can block an action entirely or let it proceed with a notification. You define the rules, the response message, and who gets alerted. Every violation is recorded so you always know when boundaries were tested.
- ● Create custom guardrails with your own rules and response messages
- ● Choose to block actions or just notify when triggered
- ● Route alerts to specific people, teams, or departments
- ● Full violation history for review
Built to defend against AI-specific threats
AI agents face unique security challenges that traditional tools weren't built for. Hapax includes protections designed specifically for how agents work.
Prompt injection detection
Agents process data from all kinds of sources — emails, documents, tool outputs — which makes them a target for prompt injection attacks. Hapax detects and prevents these attacks, along with input sanitization that strips malicious content before it ever reaches an agent. Your agents process real business data, not hidden instructions from bad actors.
Agent lenses & boundaries
Agents operate within defined lenses that scope what they can see and do. A sales agent stays focused on sales data. A support agent works within support context. Lenses keep agents effective by keeping them focused — and they keep your data compartmentalized so nothing crosses boundaries it shouldn't.
Cost controls
Stay in control of how much your AI agents are spending. Hapax gives you visibility into usage and the controls to set limits — so you get the value of AI automation without unexpected costs. No runaway agents, no surprise bills.
Input sanitization
Data coming into Hapax from external sources is cleaned and validated before agents work with it. Malicious URLs, risky content, and potentially harmful inputs are caught and neutralized — so agents only work with data you can trust.
Every action, fully traceable
Everything an agent does in Hapax is logged — what it did, why it did it, what data it accessed, and who approved it. If someone asks “how did this happen?” you have the answer, every time.
Audit logs cover agent tool usage, human approval decisions, sensitive data access, and guardrail violations. Filter by date, user, agent, or event type to find exactly what you need.
- ● Full history of every agent action and decision
- ● Tracks approval requests, grants, and denials
- ● Logs every time protected data is accessed
- ● Records guardrail violations and responses
- ● Searchable and filterable by date, user, agent, or type
The foundation you'd expect
Beyond the AI-specific protections, Hapax includes the enterprise security fundamentals your team and IT department need.
View our Trust Center for compliance details and security documentation ↗
Permissions & tenant isolation
Every customer's data is completely separate. Agents only access what they're authorized to see. Admin and user roles keep the right people in control of the right things.
Encrypted everywhere
Your data, credentials, and tokens are encrypted at rest and in transit. Connection credentials are stored encrypted and never exposed to agents directly.
Enterprise single sign-on
Sign in with your existing identity provider. Hapax supports SAML and OIDC so your team uses the same credentials and security policies they already have.
Under the hood
For the technical folks who want to know what's powering all of this — here's a look at the infrastructure and stack behind Hapax's security.
Infrastructure
- → AES-256 encryption at rest
- → TLS 1.2+ encryption in transit
- → Per-tenant data isolation at the database level
- → Encrypted credential vault — keys never exposed to agents
- → Row-level security policies on all data access
- → SSRF prevention with blocked internal IP ranges
Authentication & access
- → Auth0 JWT-based authentication
- → SAML 2.0 and OIDC single sign-on
- → PKCE OAuth flows for third-party connections
- → Admin and user role separation
- → Per-document and per-vault permission controls
- → HTML and URL sanitization on all external inputs
Security that works for any business
The same security architecture that gives a regulated bank confidence to deploy AI agents also makes a 10-person startup safer from day one. You don't need a security team to benefit — the protections are on by default. And when you grow into needing more control, everything is there waiting for you.
Hapax has been designed to handle your most sensitive business data from the start. Not because we added a security layer later, but because this is how the platform was built.