Security & compliance

Client modelling data, governed end-to-end.

HEX Platform™ is built for Health Technology Assessment submissions. Every value, every change, every simulation result is reproducible, and we are direct about what we do and do not have in place today.

Hosting and data residency.

HEX Platform is hosted on managed infrastructure in New Zealand. Client modelling data — parameters, sources, simulation snapshots, submission artefacts — stays in NZ unless we have agreed in writing to a specific cross-border arrangement.

Operational metadata (application logs, error monitoring) may be processed by sub-processors located outside NZ. Where this happens we use providers with EU and US data-protection commitments and we list the active set on request.

We are not a multi-tenant Software as a Service (SaaS) by default. Engagements may run in shared or dedicated environments depending on contractual constraints. The choice is part of the scoping conversation.

Encryption.

All connections to the platform are HTTPS-only with Transport Layer Security (TLS) 1.2 or above. Database connections are TLS-encrypted in transit.

Data at rest sits on encrypted storage volumes (AES-256). Database backups are encrypted before being written to object storage.

Credentials, API keys, and signing keys never live in application code. They are injected at deploy via environment variables held in the platform's secret manager.

Access control and audit trail.

Role-based access

Every user has an explicit role with a defined permission set. HEC staff and client users sit on separate access planes, and roles enforce read-only access on locked submissions.

Append-only audit trail

Every change to a parameter is recorded with who made it, when, and the prior value. Audit records cannot be edited or deleted.

Reproducible submissions

Each simulation freezes the parameter set it consumed, so historical results remain reproducible after later edits. Once a submission is locked, structural and parameter changes are refused.

Read-only client access

Client team members get read access to the live model during the engagement. They can interrogate assumptions and walk parameters back to source, without the ability to alter the working state.

Certifications — what we hold, what we are working towards.

We do not hold SOC 2 Type II or ISO 27001 today. We are honest about that.

We are working towards a SOC 2 Type II readiness assessment, with ISO 27001 as the follow-on objective once readiness is established. The order reflects what large pharma and device buyers ask for most often during procurement.

If a buyer needs a specific compliance artefact before contracting (security questionnaire response, evidence of controls, sub-processor list, data flow diagram), we provide it on request. Most enterprise buyers will receive a populated Consensus Assessments Initiative Questionnaire (CAIQ-lite) within a working week.

Data protection posture.

Client modelling data — parameters, sources, results — is the client's. We do not use it to train models, do not share it with other clients, and do not sell or licence it. All client artefacts are returned or destroyed at the end of an engagement, on the client's instruction.

For European Economic Area data subjects, we operate as a processor under the relevant data-processing agreement. For New Zealand engagements, we comply with the Privacy Act 2020.

Data Subject Access Requests (DSARs) and other privacy queries: [email protected]. Acknowledgement within two working days.