Security Standards

Our security philosophy

We treat client data as a competitive advantage — our clients' advantage. The Harbinger platform is architected on three non-negotiable principles: isolation by default, privacy first, and zero leakage. This page summarizes how those principles show up in practice.

1. Isolated training environments

Every client engagement runs in a fully isolated environment. Your data never touches shared infrastructure, and our models are trained on your data only within that isolated boundary. We do not co-mingle data across clients and we do not use client data to improve models that serve other clients.

2. Privacy-first architecture

Harbinger is built so that your business intelligence — data, model weights, outputs, prompts, and derived insights — remains yours. None of it contributes to public AI datasets, competitor models, or any training corpus outside your environment. Proprietary model weights remain exclusively within the environment you designate.

3. Encryption in transit and at rest

All data streams between you and Harbinger, and all data at rest within engagement environments, are encrypted using industry-standard protocols (TLS 1.2+ in transit, AES-256 at rest). Access to encrypted stores requires key material held under strict internal controls.

4. Access controls

• Engagement access follows the principle of least privilege
• Administrative actions on client environments require multi-factor authentication
• All access is logged and auditable
• Access rights are revoked promptly upon engagement end or role change

5. Vendor and subprocessor hygiene

We use a small, deliberately chosen set of infrastructure providers (cloud compute, storage, and email). Each is evaluated against our security criteria. We will provide a current list of subprocessors to clients under a mutual NDA on request.

6. Incident response

We maintain an internal incident-response procedure covering detection, containment, communication, and post-incident review. If we become aware of a security incident affecting client data, we will notify affected clients promptly and coordinate remediation.

7. Business continuity

Engagement environments are backed up according to the data-protection requirements of each contract. Recovery objectives and backup cadence are defined per engagement.

8. Data retention and deletion

We retain client data for the duration of the engagement plus any period required by contract or applicable law. Upon request or at engagement end, client data and derived artifacts are securely deleted within a commercially reasonable timeframe, and confirmation is provided.

9. Compliance posture

We design our controls with enterprise and regulated-industry clients in mind. Formal certifications are pursued as our roadmap and client needs dictate. Current compliance status and attestations are available to prospects and clients under NDA.

10. Responsible disclosure

If you believe you have discovered a security vulnerability in our site or services, please report it to rye@harbinger.ai (with jonathan@harbinger.ai on CC). We will acknowledge your report promptly and work with you in good faith to investigate and remediate.

Questions

For security questionnaires, architecture reviews, or to arrange a technical diligence session, email rye@harbinger.ai.