Last updated: June 5, 2026
Security is part of how we build, not a checkbox at the end. This page describes our practices plainly — what we do, and how to reach us if you find something we missed.
Systems we build run on the client's own accounts and infrastructure — you own the stack, the data, and the code. Access is role-based and mapped to your structure: who can see what, who can approve, who can't.
Where an engagement operates under regulatory requirements such as HIPAA or SOC 2, we design access, audit trails, and retention around those requirements from the start.
We operate on least privilege. Hikm operators get the minimum access an engagement requires, credentials are scoped per client and never shared between engagements, and access is revoked when an engagement ends.
All traffic to hikmsystems.com and to the systems we build is encrypted in transit over TLS. Data at rest lives in managed infrastructure providers with encryption enabled and segregated per client.
API keys, tokens, and credentials are stored in environment-scoped secret managers — never in code, never in version control, never in shared documents.
Code is version-controlled and reviewed before shipping. AI agents used in our build process operate behind approval gates with human review — the same human-led discipline we sell is the one we run on.
If an incident affects a client system, we notify the client directly and promptly, with what we know, what we've contained, and what happens next. No burying.
Found a vulnerability in our site or a system we operate? Email admin@hikmsystems.com with the details. We'll acknowledge it quickly, fix it on priority, and credit you if you'd like. Please don't test against client systems or access data that isn't yours.