Draft notice — last updated 20 April 2026. A detailed, SOC 2 Type II-audited security posture document is in preparation.
Website (datahive.id)
- HTTPS everywhere via Let's Encrypt automatic renewal. HSTS enabled with a 2-year max-age and preload.
- Strict security headers: X-Frame-Options SAMEORIGIN, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy restrictive default-deny.
- Rate limiting on all request paths.
- No third-party analytics or advertising trackers.
- Infrastructure hosted in Indonesia.
Datahive platform
- On-premise deployment on customer-controlled infrastructure — no phoning home, no telemetry, no tenant data in VAL.ID-managed infrastructure.
- Air-gapped deployment mode available for Sovereign-tier engagements.
- RBAC and column-level access controls tied to your identity provider via OIDC/SAML and SCIM.
- Append-only audit trail for every read and write, with user, timestamp, and query context.
- Encryption at rest via MinIO SSE-KMS or SSE-C, per-bucket key management.
- Open-source codebase — auditable, reproducible builds, no binary blobs.
Reporting a vulnerability
If you've discovered a potential security issue, please email hello@val.id with “Security disclosure” in the subject. We acknowledge all reports within two business days and coordinate disclosure responsibly.