What we actually have. Not what we aspire to.
This page describes the security controls reflected in the current HermesAI implementation and the managed services that run the platform. It is a snapshot of what exists, not a marketing statement about what is planned.
The platform is built on managed services rather than custom infrastructure for security-critical layers. Each provider is responsible for their own layer.
Clerk
Authentication and session management
User auth, session tokens, and organisation membership are delegated to Clerk. HermesAI does not store or manage raw session credentials.
Polar
Billing and subscription lifecycle
Payment processing, subscription state, and checkout flows run through Polar. Card data never touches HermesAI servers.
Neon Postgres
Primary database
Application state, tenant data, and editorial records live in a managed Postgres cluster. Backups, failover, and encryption at rest are handled by the provider.
Upstash Redis
Rate limiting and transient state
In-memory state for rate limiting, feed processing locks, and short-lived workflow flags. No persistent sensitive data stored here.
Vercel
Compute and hosting
All application compute runs on Vercel. Network isolation, DDoS mitigation, and TLS termination are platform defaults.
Cloudflare
CDN and edge network
Static assets and edge routing proxied through Cloudflare. WAF rules and bot mitigation applied at the network layer.
Controls implemented at the application layer, visible in the current codebase.
Role-gated product areas
Admin routes and tenant newsroom routes are separated at the middleware level. Platform roles (admin, support) are distinct from editorial newsroom roles (owner, editor, journalist, reviewer, viewer). Access is enforced server-side on each request.
Webhook signature verification
Billing events from Polar and identity events from Clerk are verified against their respective HMAC signatures before processing. Replayed or tampered payloads are rejected. Idempotency keys prevent duplicate processing of the same event.
API key hashing
Tenant integration keys are stored as hashed values with truncated masked prefixes for display. The full key is shown only once at creation time and cannot be retrieved from the platform after that.
Network checks for webhook targets
Outbound webhook endpoints submitted by tenants are validated against reserved and non-public address ranges before use. This blocks SSRF attacks targeting internal network addresses via the webhook delivery system.
Operational records
Billing and identity webhook payloads are archived for audit and incident investigation. These records support troubleshooting without relying solely on external provider logs.
Security pages often overstate. These are the things this page does not assert.
No certification unless published.
HermesAI does not hold SOC 2, ISO 27001, or equivalent certifications at this stage. If any are obtained they will be published explicitly. A security page is not a certification.
No public bug bounty.
There is no active public bug bounty programme. Security researchers should report findings to the security contact. Reports are reviewed; rewards are not promised.
No uptime SLA unless contracted.
Free, Plus, and Pro plans carry no uptime guarantee. Enterprise contracts may define SLAs - consult the specific agreement.
No prevention of AI editorial errors.
The product generates AI drafts. These may contain factual errors, misattributions, or incomplete coverage. Editorial review before publication is a design assumption, not an optional step.
No substitute for publisher rights review.
Security controls do not address content licensing, attribution rights, or syndication terms. Those are separate legal and commercial matters.
Found a security issue?
Report via the security channel. Include the affected path, reproduction steps, and your estimated impact. Reports are reviewed - there is no public bounty programme.
No security inbox published yet.
All contact channels →