Security & Data Protection
Version 1.0 — last updated 2026-06-12
Hydron provides AI-deployed bare-metal infrastructure. This page explains how we secure the infrastructure we operate, where your responsibility as a customer begins, who we work with, and how we handle data. It is not a compliance certification.
Contents
Security Overview
What Hydron is
Hydron rents dedicated physical servers and uses automated tooling to provision them and launch the program you specify. We operate the hardware, the network, and the control plane that manages provisioning and billing. We do not modify, inspect, or access the code or data you run on your server. Once a server is handed to you, what runs on it and the data it holds are yours.
We secure the infrastructure layer; you secure your workload. The split is detailed in Shared Responsibility below.
Infrastructure security
- Dedicated physical servers. Each customer runs on dedicated bare metal — no shared kernel, hypervisor, or noisy-neighbour exposure between customers. This is a stronger isolation boundary than shared or virtualized cloud.
- Secure provisioning and wipe. Before any server is re-assigned to a new customer, its storage is securely erased. No prior tenant's data persists onto a re-rented machine.
- Disk encryption. Full-disk encryption (LUKS/dm-crypt) is available on request for provisioned servers. As the data on the disk is yours, you control encryption keys and key management for your workload.
- Network & DDoS. Customer traffic is segregated at the network layer. DDoS mitigation is provided by our datacenter partner, OVH.
- Datacenter physical security. Servers are hosted in OVH datacenters in Europe and the United States, which provide physical access controls, power redundancy, and environmental protection.
Control-plane security
The Hydron control plane handles provisioning, account management, and billing. It holds account data, not your workload data.
- All API and dashboard traffic is encrypted in transit over TLS 1.2+ (TLS 1.3 preferred), with HSTS enabled.
- Account, billing, and provisioning data is encrypted at rest.
- Control-plane data is backed up on an encrypted basis, with restore procedures tested.
- API keys are hashed at rest, never logged in plaintext, and can be rotated by the customer.
- Provisioning and wipe events are audit-logged.
Access control
- Access to physical servers is restricted to SSH key-based authentication.
- Internal administrative tooling requires multi-factor authentication.
- Team access follows the principle of least privilege.
Patching
We maintain a regular patching cadence for the host-level software under our control and for the dependencies of our control-plane stack. Patching of the operating system and software inside your provisioned server is your responsibility after handoff.
Reporting a security issue
If you discover a vulnerability or have a security concern, contact us at support@hydron.app. We aim to acknowledge reports promptly.
What we do not claim
Hydron is an early-stage product. We do not hold SOC 2, ISO 27001, or equivalent certifications at this time. We describe only the controls we actually operate.
Shared Responsibility
Security on Hydron is shared. We secure the infrastructure we operate; you secure what you run on it.
Hydron is responsible for
- Physical servers — the bare-metal hardware we rent to you.
- Network infrastructure — connectivity, network-layer segregation between customers, and DDoS mitigation via OVH.
- Secure provisioning — preparing and delivering servers to you.
- Secure wipe — erasing storage before a server is re-assigned to another customer.
- Datacenter physical security — provided through OVH.
- Control plane — the security of our provisioning, account, and billing systems, including encryption in transit and at rest of the account data we hold.
- Access to the metal — restricting and logging administrative access to the underlying hardware.
You are responsible for
- Your code and programs — anything you deploy or run on the server.
- Your data — all data your workload creates, stores, or processes. We do not access, inspect, or back it up.
- Backups — backing up your own data. Hydron does not back up customer workloads.
- In-application encryption and key management — encrypting sensitive data within your application as needed.
- Operating system and software hardening — patching, configuration, and securing the OS and software inside your server after handoff.
- Access credentials — safeguarding your SSH keys, API keys, and account credentials.
- Lawful and compliant use — ensuring your workload and the data you process comply with applicable laws and any obligations you owe to your own users.
In short: Hydron secures the box, the network around it, and the systems that deliver it to you. Everything inside the box is yours to secure.
Sub-processors
Hydron uses a limited number of third-party providers ("sub-processors") to operate the service. They may process account data (contact, billing, and support information). They do not process your workload data, which Hydron does not access — see Shared Responsibility.
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| OVH | Server hosting, datacenter physical security, DDoS mitigation | Infrastructure metadata | EU & US |
| Stripe | Payment processing | Billing & payment data | EU / US |
| SendGrid | Transactional & business email | Contact details, email content | US |
| Mava | Customer support chat | Support conversations, contact details | US |
| Discord | Community & support communications | Contact details, messages | US |
| Slack | Support communications | Contact details, messages | US |
Hydron does not accept cryptocurrency and uses no crypto payment processor.
International transfers. Some sub-processors are located in, and the US server region is in, the United States — outside the EEA. Transfers of personal data to these providers are covered by EU Standard Contractual Clauses (SCCs).
We update this list when sub-processors change.
Incident Response
This describes how Hydron responds to security incidents affecting the infrastructure and account data we operate. It does not cover incidents inside your workload — the code, applications, and data you run on your server are yours to monitor and secure.
How we respond
- Detect & contain — on identifying an incident, we act to contain it and limit impact.
- Assess — we determine what was affected, including whether any personal data in account data was involved.
- Notify — if a confirmed incident affects personal data we hold, we notify affected customers without undue delay and within 72 hours of becoming aware, consistent with GDPR Articles 33–34. Where required, we also notify the Lithuanian State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija).
- Remediate & review — we remediate the root cause and review controls to reduce recurrence.
What a notification includes
To the extent known at the time: the nature of the incident, the categories of data affected, the likely consequences, and the measures taken or proposed in response. We provide updates as more information becomes available.
Reporting an incident to us
If you believe there has been a security incident affecting Hydron infrastructure or your account, contact support@hydron.app as soon as possible.
Data Retention & Deletion
This covers account data that Hydron holds. It does not cover your workload data — Hydron does not store or back up the data inside your provisioned server.
What we retain
| Data category | Examples | Retention period |
|---|---|---|
| Account & contact data | Name, email, organisation | Deleted within 2 months of checkout / account closure |
| Provisioning & usage logs | Server provisioning events, API access logs | Maximum 2 months |
| Audit logs (provisioning/wipe) | Records of deployment and wipe events | Maximum 2 months |
| Support communications | Tickets, chat history | Maximum 2 months |
| Billing & payment records | Invoices, transaction records | Retained for the statutory period required under Lithuanian accounting and tax law |
Billing and tax records must be kept for a statutory period regardless of account closure, so they are the one exception to our two-month deletion rule.
Workload data on the server
When a server is deprovisioned or re-assigned, its storage is securely erased before it is made available to another customer. Hydron does not retain a copy of your workload data. You remain responsible for exporting or backing up anything you need before deprovisioning.
Deletion on offboarding
When you check out of our service or close your account, we delete account data, logs, and support history within two months, except billing records we are legally required to retain, which are deleted at the end of their statutory retention period.
Requesting deletion
To request deletion of your personal data, or to exercise other rights under the GDPR (access, rectification, portability, objection), contact support@hydron.app. We respond to verified requests within the timeframes required by the GDPR.
Hydron is operated by UAB Vertex, Liepų g. 83, LT-92195 Klaipėda, Lithuania. Questions: support@hydron.app.