Security
Security by architecture.
Not by promise.
Hoziron's security posture starts with a structural decision: your data never leaves your infrastructure. Everything else follows from that.
How we think about security
Data sovereignty by deployment model
Hoziron deploys as a signed binary inside your perimeter. There are no outbound data flows to Hoziron infrastructure. We do not host, process, or have access to your claims data. This is not a contractual promise — it is an architectural constraint. Your CISO can verify it by inspecting network traffic.
Sensitivity-based model routing
The platform classifies each model call by data sensitivity before dispatch. PII-bearing calls route only to customer-registered local model endpoints. Non-PII calls may route to cloud LLMs subject to your tenant configuration. The default is local-only.
Immutable audit trail
Every model call, tool invocation, and routing decision is written to an append-only, Merkle-chained log keyed to the originating notice-of-loss event. The log emits to your SIEM in real time. Hoziron retains no copy. Your compliance team and your chosen auditor read it directly.
Supply chain discipline
Every release ships with a CycloneDX SBOM and passes an automated CVE check against all transitive dependencies. Builds are reproducible from pinned commit SHAs inside deterministic containers. Binaries are signed with our release key. Your deployment verifies the signature on receipt.
Agent cost and behaviour bounds
Agent loops are bounded by per-claim budget caps with abort heuristics. Tool invocations are scoped by allowlists per agent step. A circuit breaker fires on decision drift — if classification confidence drops below threshold or routing falls outside the allowed set, the agent halts and alerts.
Data protection
UK GDPR (Hoziron as a company)
Hoziron Ltd is registered in England and Wales and complies with UK GDPR for the personal data we hold as a business (website visitors, business contacts, design partner applicants). See our Privacy Policy for details.
Customer data (your claims, your responsibility)
We do not process your claims data. The Hoziron platform runs inside your infrastructure under your data protection obligations. You remain the data controller. We provide the tooling — audit trails, sensitivity routing, access controls — that helps you meet those obligations. The platform's compliance documentation covers POPIA, GDPR, and SOC 2 alignment.
Report a security issue
If you believe you've found a security vulnerability in Hoziron, please report it to contact@hoziron.com with "Security Disclosure" in the subject line. We will acknowledge within 48 hours and aim to provide an initial assessment within 5 business days.