Trust & Security

Your data stays where you put it.

Hybridyn is built on a single architectural promise: data sovereignty by construction. Self-hosted single-tenant, local AI by default, telemetry off by default, Apache 2.0 forever. This page documents what that means in technical detail — the guarantees, the encryption, the AI guardrails, and the sub-processors (which is a short list: none).

Last reviewed 2026-05-29F-Pulse v1.0.0Edition matrix dated 2026-05-04
The architectural promise

What Hybridyn never does

Negative claims are stronger than positive ones because they're falsifiable. Here are six things we will never do — and the code-level mechanisms that enforce each.

We never see your data

F-Pulse is self-hosted single-tenant. Source data moves from the source system through your F-Pulse process to your destination over your network — never through Hybridyn infrastructure. We have no hosted version, no proxy, no telemetry pipe carrying customer data.

We never default to a cloud LLM

The AI Copilot defaults to Ollama running locally on qwen2.5:7b. Your schema, query history, and pipeline definitions never leave the host. Cloud providers (Anthropic, OpenAI, OpenRouter, Gemini, etc.) are explicit opt-in — operator brings their own key, knowing prompts leave the host.

We never bind to your LAN by default

F-Pulse binds to 127.0.0.1 — invisible to your LAN. No accidental port exposure to coworkers, hotel WiFi, or conference networks. LAN-visible binding requires explicit FPULSE_ALLOW_LAN=1 or --host 0.0.0.0.

We never enable telemetry by default

Telemetry is opt-in only. The default install collects nothing, phones home to nothing, and registers nothing. If you opt in, the schema is documented and the data goes only to Hybridyn — no third-party analytics, no ad networks, no resold telemetry.

We never silently change the license

F-Pulse is Apache 2.0 forever. We won't repeat the Elastic/MongoDB/Airbyte/Redis pattern of relicensing the OSS after adoption. Plus is a separately-licensed commercial extension that consumes F-Pulse's public APIs — never imported into the OSS repo (boundary rule 2 of edition-matrix.md).

We never put credentials in LLM context

Sanitization gateway strips PII, credentials, API keys, and connection strings before the model sees data. The model literally cannot exfiltrate what it never receives. Enforced at the runtime layer, not by the prompt — survives jailbreaks because the rule lives below the prompt.

Encryption & governance

Per-edition posture

OSS ships with always-on Fernet credential encryption and a full audit log. Plus adds Vault-backed AES-256 with rotation, sigstore-signed audit export, and Llama-Guard safety classification on every agent turn.

F-Pulse OSSApache 2.0 — Free
Credential encryption at rest
Fernet (AES-128-CBC + HMAC-SHA256)
Always-on. Master key at ~/.fpulse/secret.key, chmod 600, fail-closed on world-readable.
AI provider API keys at rest
Same Fernet encryptor
Anthropic / OpenAI / OpenRouter etc. keys wrapped before write.
Audit log
audit_log table — every authenticated action
Basic retention, queryable via SQL.
Trace store
Every agent run persisted with replay-safe step records
Input/output hashes recorded; never raw values.
Prompt signing
HMAC system prompt integrity check
Tampered prompts refuse to load at module-load time.
F-Pulse PlusCommercial
Credential vault
AES-256 + credential references + rotation
Vault-managed key lifecycle. References (not values) flow through pipelines.
Audit retention + export
Sigstore-signed, SIEM-compatible formats
Cryptographically-signed audit-log export. Configurable retention.
Trace store extended retention
1-year+ with export
Cross-workspace activity timeline.
Llama-Guard safety classifier
Runs on every agent turn
Blocks unsafe outputs before they leave the agent loop.
OIDC / SAML SSO
Plus IP allowlist, session controls, password policy
Drop-in for enterprise identity providers.
AI Copilot governance

Guardrails enforced below the prompt

The AI Copilot is bounded by runtime-enforced rules, not prompt instructions. A model that decides to ignore the rules can't — the runtime intercepts every tool call.

Bounded agent loop

Hard caps: 6 iterations max per run, 300s wall-clock for local Ollama / 120s for cloud providers, per-user daily token wallet. Stop button cancels mid-flight.

Tool-tier RBAC

25 tools across 3 tiers: 21 READ (permissive), 4 SAFE_WRITE (standard RBAC + idempotency cache), 1 HIGH_IMPACT_WRITE (strict RBAC + mandatory confirmation card).

Dry-run by default

New HIGH_IMPACT_WRITE tools execute in dry-run for the first 3 successful runs before unlocking live mode — even if the user clicks 'live'. Three-success threshold before live writes.

Idempotency cache

Write tools key on (tool_name + args + tenant). Duplicate calls within the TTL replay the cached result instead of re-executing.

Sanitization gateway

PII, credentials, API keys, connection strings stripped before the LLM sees any data. Enforced at runtime, not via the prompt.

Data flow & sub-processors

Who touches your data

Because Hybridyn is self-hosted, the sub-processor list is much shorter than a SaaS competitor's. Hybridyn itself is not on the list — we operate no infrastructure that handles customer data.

PartyRoleNote
Hybridyn (your installation)Process and store your dataOn infrastructure you operate.
Source systems you connectRead data fromYour choice. Hybridyn never sees the connection or the data flowing through it.
Destination systems you write toWrite data toYour choice. Same — Hybridyn has no visibility.
Optional cloud LLM (only if opted in)Process Copilot promptsOperator-configured, BYO-key. Default is local Ollama — no cloud LLM is used unless you explicitly enable one.

Hybridyn Technologies Pvt Ltd is NOT a sub-processor — we operate no infrastructure that handles customer data. Comparable SaaS ETL platforms typically list 8–15 sub-processors (cloud hosting, CDN, analytics, support tooling, etc.) because they run your data through their stack.

Compliance

Where we are on the standards landscape

Honest about what's certified, what's roadmap, and what's not applicable to a self-hosted single-tenant product.

In place today

  • • Apache 2.0 license (audit-friendly)
  • • Self-hosted single-tenant architecture
  • • Encryption at rest (Fernet OSS, Vault AES-256 Plus)
  • • Audit log of every authenticated action
  • • Sigstore-signed audit export (Plus)
  • Compliance posture document in repo (docs/ai-ops-contract.md)

On the roadmap

  • • SOC 2 Type II attestation (Plus, planned)
  • • HIPAA BAA template (Plus, planned)
  • • ISO 27001 alignment documentation
  • • Data Processing Agreement (DPA) template
  • • GDPR Article 32 technical-measures attestation

Not applicable

  • • Cloud hosting certifications (we host nothing)
  • • CDN data-residency claims (no CDN)
  • • Vendor-supplied uptime SLA on the OSS (you operate it)
  • • Third-party penetration test of "our infrastructure" (no infrastructure of ours touches your data)

For deployment-specific compliance (HIPAA, GDPR, SOC 2 within your environment), the controls live in your infrastructure since Hybridyn runs there. We provide the technical substrate (encryption, audit, RBAC, sanitization); your security team owns the operational controls.

Data residency

Your data is wherever you put F-Pulse.

EU? Run F-Pulse on a Frankfurt VPS. India? Mumbai. US? Wherever you like. There is no Hybridyn-controlled region that processes your data, because there is no Hybridyn infrastructure that processes your data. Data residency is whatever you choose for the host you run F-Pulse on.

Found a vulnerability?

Please don't file a public GitHub issue. Email hello@hybridyn.com with a description, repro steps, and your contact. We acknowledge within 48 hours and publish a fix on a coordinated disclosure timeline. See security.md in the F-Pulse OSS repo for the full policy.

Email security@ Other questions
Edition matrix

Per-feature OSS vs Plus boundary — the source of truth this page is derived from.

View on GitHub →
Compliance posture doc

Detailed technical-controls map, in the F-Pulse OSS repo.

View on GitHub →
Trademark & usage

"F-Pulse" and "Hybridyn" trademarks of Hybridyn Technologies Pvt Ltd.

Trademark policy →