HUMΛN

Security

Security is foundational to HUMΛN. This page describes how we protect the platform, your Passport, and your data — and how to report a security issue.

Passport security

HUMΛN Passports are built on WebAuthn, the same standard used by passkeys in Apple, Google, and Microsoft devices. Key properties:

  • Private keys never leave your device. Your biometric data and private key are stored in your device's Secure Enclave or TPM. HUMΛN stores only your public key and DID.
  • No passwords to steal. Authentication uses cryptographic challenge-response — there is no password that can be phished, breached, or reused.
  • Phishing-resistant by design. WebAuthn credentials are origin-bound. A fake site cannot trick your device into signing an authentication request.
  • Recovery keys. We strongly encourage setting up recovery keys during onboarding. These are single-use keys you store safely that let you recover access from a new device.

For technical details, see the Passport Security deep-dive.

Infrastructure and data security

  • Encryption in transit: All communication uses TLS 1.3. API endpoints enforce HTTPS.
  • Encryption at rest: Data is encrypted at rest using AES-256.
  • Access controls: Internal access to production systems follows least-privilege principles with multi-factor authentication required.
  • Audit logging: All API access and administrative actions are logged with tamper-evident records.
  • Dependency management: We monitor dependencies for known vulnerabilities and apply patches on a risk-prioritized schedule.

Capability-scoped delegation

HUMΛN uses a delegation model where every API credential is scoped to a specific set of capabilities. There are no all-access tokens — every delegation token specifies exactly what it can do, for how long, and on whose behalf.

This limits blast radius if a token is compromised: an attacker with a scoped token for agent.invoke:companion cannot access passport management, billing, or other unrelated capabilities.

Responsible disclosure

We take security reports seriously and appreciate the security community's help in keeping HUMΛN safe.

Report a vulnerability

Please email security@builtwithhuman.com with:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce or a proof of concept
  • Any relevant logs, screenshots, or supporting material

Our commitments to researchers:

  • We will acknowledge receipt within 2 business days
  • We will keep you informed of our progress
  • We will not pursue legal action against good-faith reporters
  • We will credit researchers (if desired) in our disclosure

Please allow us reasonable time to investigate and remediate before public disclosure. We ask for coordinated disclosure with a typical window of 90 days.

For encrypted communication, PGP key available on request at security@builtwithhuman.com.