The Data, Access, and Accountability Questions IT Raises, and the Controls Behind HData's Answers
When a regulatory affairs team champions a new AI platform, the conversation eventually reaches the same desk: information technology (IT).
And IT typically asks the right questions: What data does the platform access? Where does data go? Who controls the data? How does the data integrate with existing systems? What happens in the event of a data breach? In most software evaluations, these questions often function as a checklist. In a regulated industry like energy, they are the conditions for responsible adoption.
The energy sector runs on information that regulators, utilities, courts, and parties can scrutinize for years. Any platform that touches that information inherits the same standard of care. Security, in this context, is a design constraint that shapes what a product is allowed to become.
Here is how HData thinks about that constraint, and how it answers the questions security-conscious professionals tend to raise first.
What the HData Platform Does
HData serves utilities, regulators, advocacy organizations, advisory firms, and energy technology companies. The work happening on the platform involves analyzing regulatory filings, synthesizing proceeding histories, monitoring docket activity, and generating AI-assisted research outputs that draw on authoritative public regulatory sources and, when a user chooses, user-integrated internal data.
HData is a regulatory intelligence platform and operating system, and not a general-purpose AI tool. Users are not uploading arbitrary files, connecting to unvetted data sources, or generating outputs that feed directly into operational systems. The workflow is bounded and specific, which means the data flows are predictable and reviewable, making it a meaningful advantage when an IT team needs to reason about risk.
Where the Data Lives and How It Is Protected
Most of what HData users analyze is already public: filings, commission orders, docket records, and related regulatory documents from the Federal Energy Regulatory Commission (FERC), state utility commissions, Regional Transmission Organizations (RTO), Independent System Operators (ISO), and other authoritative sources. HData organizes and structures that public record so it can be searched and analyzed at scale and quickly.
For organizations that choose to integrate their own internal data, such as proprietary research, internal filings, and strategic documents, HData's controls are built around a straightforward principle: that data belongs to the customer, and the platform's job is to keep it that way. The repository that houses sensitive customer data is encrypted at rest using AES-256, and confidential data is encrypted in transit using TLS 1.2 or higher, not only when it crosses public networks but also as it moves within HData’s own infrastructure. And all customer data is stored and processed in the United States.
The production network is segmented specifically to prevent unauthorized access to customer data, and a formal data classification policy governs how confidential information is secured and who may reach it. When an HData user leaves the service, their data is purged from the application environment under formal retention and disposal procedures.
For HData’s Regulatory AI in the platform, the commitments are direct. Documents uploaded to a customer's private catalog, along with the associated prompt history, are fully private to that user. HData does not review the content of those documents or users’ prompts, and it does not use customer documents or prompt history to train AI models. That prohibition extends contractually to HData’s third-party AI model providers as well. The system's capability comes from how it is built, not from quietly learning on a user's confidential work.
Transparency as a Security Property
For teams evaluating AI platforms, the black-box concern is real. If a platform generates AI outputs that inform regulatory decisions without traceable sourcing, it creates both accuracy risk and accountability risk.
HData treats traceability as part of its security posture. Every AI-generated response includes detailed, downloadable citations linking the output back to the source documents that informed it. Outputs can be verified against primary sources, and organizations keep a clear record of what information informed what conclusion, which is precisely what regulatory and legal scrutiny demands.
Compliance and Certifications
HData maintains AICPA SOC 2 Type II attestation, in which an independent auditor verifies not only that security controls are properly designed, but that they operate effectively over time. Access to production systems is restricted to authorized users, requires multi-factor authentication over an approved encrypted connection, and is reviewed at least twice per year. An intrusion detection system provides continuous monitoring for early detection of potential breaches. Production systems also undergo vulnerability scanning and penetration testing at least annually, with remediation tracked against defined timelines.
For users, the platform supports SAML 2.0 single sign-on (SSO) for integration with an organization’s own identity provider, and multi-factor authentication is enforced for all customer accounts. HData holds its own workforce tools to the same standard: corporate systems are SSO-first with multi-factor authentication required
Security policies, network and system hardening standards, and the vendor management program are each reviewed at least annually, and HData’s Board of Directors is briefed at least annually on the company's cybersecurity and privacy risk. Incident response procedures are documented and followed, with affected parties notified according to policy.
Regulated industries operate under frameworks that have direct implications for the technology platforms their teams use. HData's compliance posture is designed to meet the requirements of enterprise customers in energy, utilities, and adjacent regulated sectors.
For teams that want to go deeper into HData's security and compliance, reach out by emailing security@hdata.com or visiting HData’s trust center at trust.hdata.com.
About HData
As the AI-native operating system for energy regulation, HData serves the largest customer ecosystem in regulated energy, helping utilities, regulators, advocates, advisory firms, corporates, and energy technology companies navigate regulatory complexity. Through centralized data, domain AI, and purpose-built applications, HData accelerates the research, analysis, and workflows critical to how the future of energy is decided.
