Security & Privacy
At Hudson Labs, security and confidentiality are foundational to how we build the Co-Analyst. Our platform is designed to meet the requirements of institutional investors, research teams, and enterprise customers who depend on strict data protection and operational controls.
At a glance
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- MFA enforced on all data platforms used; passwords salted and hashed
- Role-based access controls for all employees, least-privilege, and audit logs
- We do not train AI models on customer data
- Annual independent penetration testing (most recent: September 2025)
- No known client data breaches to date
AI, Privacy & Customer Data
Hudson Labs is built so you can use the Co-Analyst on your most sensitive research tasks with confidence.
No Training on Customer Data: User data, prompts, and search activity are never used to train AI or machine learning models. Customer data is not shared with external model providers for training purposes.
Strict Data Isolation: Each customer's data is logically isolated within our platform. Access controls and system boundaries are designed to prevent any cross-customer access or data leakage.
Secure Model Execution: Model inference environments are fully isolated with no outbound internet access permitted during runtime, preventing data exfiltration. When third-party AI models are used to process a request, only the content of the query is transmitted — no account, profile, or identifying data is shared with model providers.
Prompt Storage Controls: Client data and prompts are encrypted and stored on a secure internal database. Users may opt out of prompt storage at any time, with potential limitations to certain functionality, such as saved workflows and prompt re-use.
AI Guardrails: Hudson Labs implements AI safety and content guardrails using third-party tools, including Guardrails AI and NVIDIA NeMo. These systems are designed to mitigate risks related to bias, toxicity, and inappropriate content.
Model Monitoring: Drift and regression testing is performed at least quarterly and typically more frequently — approximately every three weeks. Both automated and manual evaluation methods are used, and the regression test suite is continuously updated.
Infrastructure Security
Built on AWS: Hudson Labs is hosted on Amazon Web Services (AWS) in US- and Canada-based regions, leveraging its secure, globally trusted cloud infrastructure. We use AWS's security primitives for network isolation, access control, and infrastructure protection.
Encryption by Default: All data is encrypted in transit using TLS 1.2+ and at rest using AES-256. This ensures your data is protected both while being transmitted and while stored in our systems.
Authentication: Multi-factor authentication (MFA) is enforced internally across all data platforms used. Passwords are salted and hashed using industry-standard methods.
Internal Access Controls: Access to production systems and customer data is restricted to authorised Hudson Labs personnel on a least-privilege basis. Role-based access controls (RBAC) are enforced internally, ensuring staff can only access the systems and data necessary for their role.
Monitoring & Logging: Network access attempts are logged and monitored for unauthorised activity. Audit logs are maintained for key system and administrative actions.
Secure Development Practices: Hudson Labs follows secure software development practices, including code reviews, controlled deployments, and regular vulnerability scanning. Security is built into our development process, not added after the fact.
Annual Penetration Testing: Hudson Labs engages independent security experts to conduct penetration testing annually. The most recent test was performed in September 2025. Findings are remediated on a risk-prioritised basis and results are available to enterprise customers on request under NDA.
Enterprise Controls & Data Lifecycle
User Access Controls: Hudson Labs manages access through user tiers and permission levels that determine what each user can see and do within the platform. Access configuration is handled in coordination with Hudson Labs — contact your account representative to adjust user permissions or tiers.
Data Retention & Deletion: Usage data and history is automatically deleted one year after the end of the active license term. Clients may request deletion of their data at any time.
Data Residency: Customer data is stored on AWS infrastructure in US- and Canada-based regions. If data residency is a specific requirement for your organisation, please contact us to discuss your needs.
Controlled Sharing & Export: Hudson Labs provides controls around sharing and exporting data to help prevent accidental or unauthorised data exposure.
Third-Party Providers: All third-party vendors undergo security and MNPI risk assessments prior to onboarding. Sub-processors handling customer data are bound by data processing agreements.
| Sub-Processor | Location | Purpose |
|---|---|---|
| Amazon Web Services (AWS) | United States and Canada | Cloud infrastructure and data storage |
| Amplitude | United States | Product analytics |
| Stripe | United States | Payment processing |
| Customer.io | United States | Marketing communications |
| Copper CRM | United States | Customer relationship management |
| Zapier | United States | Data workflows automation |
| Heroku PostGres | United States | Data storage |
| Google Workspace | United States | Data storage and e-mail |
| OpenAI | United States | Query processing and analysis |
IP, Data & Licensing
Data Sources: Hudson Labs sources data exclusively from licensed vendors. Key providers include S&P Global Market Intelligence and SEC.API. Data is ingested via API or SFTP. Additional details on data coverage and content sources are available in the Hudson Labs FAQ.
MNPI Policy: Hudson Labs maintains a formal Data, MNPI, and PII Policy. MNPI risk assessments are conducted for all new data vendors. All data sources used in the platform are publicly available and widely disseminated, resulting in minimal MNPI risk. Details are available in Section XII.02 of our Terms of Service.
Training Corpus: Hudson Labs' AI models are trained on publicly available SEC filings (via EDGAR), used in accordance with applicable terms and regulations.
IP & Indemnification: Hudson Labs complies with all applicable intellectual property requirements. Details on IP indemnification are provided in Section VIII.02 of our Terms of Service.
Compliance, Risk & Governance
Security Framework: Hudson Labs aligns its security controls with SOC 2 standards across security, availability, and confidentiality.
Privacy & Data Protection: The full Hudson Labs Privacy Policy is available at hudson-labs.com/privacy.
Security Policies & Governance: Hudson Labs operates under formal internal security policies covering system protection, access control, incident response, and business continuity. All staff and contractors sign a Code of Ethics committing to integrity and confidentiality, reaffirmed at least every two years, and complete annual cybersecurity training.
Privacy & Security Officer: Hudson Labs' Privacy and Security Officer is Suhas Pai, a former Staff Software Engineer at IBM Security with five years of experience in identity and access management, cryptography, and vulnerability detection. Suhas co-led the Privacy Working Group for the BigScience BLOOM LLM and is co-founder of PIISA (Personally Identifiable Information Standard Architecture).
Reliability & Incident Response
Reliability & Backups: Hudson Labs operates on resilient cloud infrastructure with regular database backups and continuous monitoring to ensure platform availability and data integrity.
Incident Response: Hudson Labs maintains a formal incident response process to detect, contain, investigate, and remediate security incidents. Clients are notified of any material data breach without undue delay and no later than 24 hours after discovery. Hudson Labs has not experienced any known client data breaches to date.
Business Continuity: Hudson Labs maintains a Business Continuity and Response Plan designed to ensure critical services can be restored in the event of major disruptions.
Responsible Disclosure
We welcome responsible disclosure from the security community. If you believe you've discovered a security issue, please contact security@hudson-labs.com. We aim to acknowledge all reports within 5 business days and will keep you informed as we investigate and address the issue.