Security and Data Handling

Access controls

Access to every model, dataset, and result is controlled per project. Each project member holds a defined role (Viewer, Contributor, Editor, or Manager) and the project owner controls who that is. Nothing in a project is visible to anyone who has not been given access to it.

Visibility is explicit and invite-driven

Every project has one of three visibility settings, and each one is driven by an explicit invitation, never by implication:

• Private: only the specific people you have added can see the project.
• Organization: only people you have explicitly invited by email. Being in the same organization grants no access on its own.
• Public: visible to anyone, only if you choose to make it so.

Members are added by email invitation. Pending invitations are listed with controls to resend or revoke them, and accepted members are shown alongside their role, so the access list for any project is always visible and auditable.

Enforced on every request

Permissions are checked on every API request, per resource, not just in the interface. Unauthenticated visitors cannot reach private projects or their data. A scheduled daily audit checks that the access controls in force still match what each project owner intended and flags any drift.

Who else can access your data

• Hydrata engineers, only when you engage us for a done-for-you (Mode B) verification, and with your knowledge.
• Hydrata administrators, for platform maintenance only. Your model data is not inspected without cause.

Hydrata does not share, sell, or use your model data to train machine learning models.

Encryption

All connections to hydrata.com are served over HTTPS (TLS 1.2 or higher), with plain HTTP redirected to HTTPS, using industry-standard certificates that renew automatically.

Stored data, including your model inputs, results, and the database, is encrypted at rest using industry-standard AES-256 encryption.

Confidentiality

Model data uploaded for a done-for-you (Mode B) engagement is treated as confidential. Hydrata will not disclose it to third parties without your written consent, except where required by law.

If a confidentiality or non-disclosure agreement is required for your engagement, contact us before uploading.

Contact us about an NDA

Retention and deletion

Your model data is retained for as long as your account is active or as required to complete the verification engagement.

• You can delete individual projects, datasets, and results from within the platform at any time.
• Account deletion: contact david.kennewell@hydrata.com and all associated model data is removed within 30 days.
• Short-term backups are kept for disaster recovery and access to them is restricted to Hydrata administrators.

Infrastructure

Hydrata runs on enterprise-grade cloud infrastructure with the availability and security controls you would expect for production hydraulic modelling. Your data is processed within a single region and is not moved between regions during normal operation.

We are happy to share further detail on our hosting, data residency, and sub-processors under a confidentiality agreement as part of a due-diligence review.