Built for Privacy. Designed for Trust.

Your Security is our Top Priority

HeyPico is built with PRIVACY at its core.

Your data stays YOURS never sold, never used to train models, always under your control.

Safe AI Use

Your conversations and content are never used for advertising or to train third-party AI models.

You decide what is stored, shared, or forgotten.

CASA Tac Security

Launch a compliant, enterprise-grade AI assistant in minutes. Voice-enabled, RAG-powered, and ready to plug into your existing data without complex setup or infrastructure overhead.

Full Control of AI's Memory

Choose exactly what HeyPico can remember about your business, customers, and team. Turn memories on or off per workspace so you stay flexible, future-proof, and always in control.

Permissions

Grant precise access by team, role, or project. Connect your internal databases and tools while keeping sensitive data restricted to the people who should actually see it.

Private Data

Keep your proprietary content private by default. Connect OpenAI, Anthropic, and other leading models through HeyPico without exposing your raw data to model providers.

Certifications

CASA

CASA Tac Security Tier 2

Security Controls

Our infrastructure is hardened end-to-end, with 24 of 24 security controls verified from encryption and secrets management to DDoS protection and automated backups.

Data Protection & Encryption

Status

Credentials stored in Secrets Manager; encryption at rest (KMS)

Workflow/credential data encryption (managed key)

Credentials fetched at startup; no plain secrets in manifests

Credential and script volumes mounted read-only

Access Control & Secrets Management

Status

Separate secret path per service and environment

IAM least privilege for Secrets Manager access

Per-environment isolation (namespace and secret)

Images from central registry; imagePullSecrets

Infrastructure & Network Security

Status

TLS 1.3 for public domains

TLS in transit (proxy + certificate at origin)

Load balancer per service; inbound HTTPS only

Proxy + Under Attack Mode (managed challenge)

DDoS protection (SSL/TLS, network-layer, HTTP)

WAF (rate limiting; managed rules per plan)

Kubernetes (cluster, node group, namespace, ingress)

Network isolation (VPC, security group per layer)

Ingress HTTPS only; redirect and certificate

Point-in-time recovery (from DB backup or AMI)

Platform Reliability & Resilience

Status

Redundancy (multi-cluster, multi-AZ, secret per environment)

Geographic redundancy (multi-AZ; multi-region planned)

Autoscaling (HPA; KEDA for queue-based workers)

Automated backup (DB to object storage, scheduled AMI)

Point-in-time recovery (from DB backup or AMI)

24/7 uptime monitoring and alerting

Container health checks and restart policy

Network isolation (VPC, security group per layer)

Ingress HTTPS only; redirect and certificate

Point-in-time recovery (from DB backup or AMI)