Common Security Concerns About AI Document Processing—And How Hypatos Resolves Them

Since ChatGPT was released “AI” has seemingly become a household name with wide adoption. There isn’t an organisation that hasn’t signalled the rollout of AI in one way or another to enhance workflow tools, ERP processes or as part of the emerging AI agents. Yes, AI solutions make back-office processes more accurate, streamlined, fast and eventually – autonomous – but as exciting as this innovation is, it comes with risks.

What AI vendors must prioritise to keep organisations safe, ranges from data confidentiality concerns to risks associated with improper model behaviour. The OWASP Top 10 for LLM Applications 2025 offers a comprehensive guideline on security priorities such as, but no limited to:

1. Data Privacy and Confidentiality: Safeguarding sensitive data from unauthorized access during storage, processing, and transmission.

2. Prompt Injection: Preventing malicious inputs from manipulating AI models to produce unintended or harmful outputs.

3. Sensitive Information Disclosure: Ensuring that AI outputs do not inadvertently expose confidential or sensitive information.

4. Data and Model Poisoning: Protecting training data and models from being manipulated to produce biased or harmful results.

5. Improper Output Handling: Ensuring outputs adhere to expected formats and do not create vulnerabilities through unstructured or unmanaged results.

6. Excessive Agency: Limiting the autonomy of AI systems to prevent unintended actions and enforcing human oversight where necessary.

7. System Prompt Leakage: Preventing the exposure of system prompts that could reveal sensitive operational details.

‍
How Hypatos Mitigates These Risks

Addressing current security concerns goes together with preparing AI systems to withstand emerging threats. We take a proactive and layered approach to security, applying the following principles in everything we build:

• Implementation of OWASP-Recommended Controls: Hypatos has implemented robust security controls outlined in the OWASP Top 10 for LLM Applications 2025. These include encryption for data at rest and in transit, strict access controls for both users and AI models based on the principle of least privilege, input and output validation to safeguard against malicious data, and continuous real-time monitoring to detect and mitigate potential threats proactively.

• Regular Vulnerability Scanning ad Penetration Testing: Continuous vulnerability assessments and scheduled penetration tests are conducted to identify and remediate potential weaknesses before they can be exploited.

• Compliance with Security Standards and Regulations: By maintaining SOC 2 and ISO 27001 certifications, and being compliant with HIPAA and GDPR, Hypatos ensures its security measures are both rigorous and transparent.

• Transparency and Accountability: Hypatos provides detailed documentation and reporting through its Trust Center ensuring that clients are informed about the company’s security practices.

‍

You’ve asked – we answer

1. What is Hypatos, and how do we use AI?

Hypatos is a software company that specializes in advanced document processing and intelligent process automation. Our AI Agents leverage LLM combined with RAG, prompting and tooling to streamline repetitive, manual tasks, such as invoice processing, document classification, data extraction, master data matching. Our solutions help organizations achieve greater accuracy, operational efficiency, and cost savings.
‍‍

‍2. How is our data handled?

Data processed by third-party LLM Providers:

We only utilise reputable LLM providers that have strict privacy standards in place - any data submitted via API to them is used solely to process the specific request and is not retained or used for training or improving their AI models. Hypatos is only using their base/pretrained models, which are stateless, meaning no prompts or output are stored in the models –after an output is generated, the prompt is immediately discarded.

Data processed and stored by Hypatos:

By default, documents uploaded by customers to Hypatos Cloud are retained for 6 months, except for documents used for AI model training, which are retained for 3 years. The reason for storing training documents for 3 years is to ensure that the dedicated AI model for each of our customers is continuously trained with sufficient amount of data in order for Hypatos to provide highest quality and accuracy of the services.

Customer data is logically segregated between customers on the database layer and all locations where customer data is stored are encrypted using AES-256.  
‍

3. Where is the Hypatos infrastructure hosted?

Hypatos hosts its cloud services on servers provided by Amazon Web Services (AWS). Customers can select between two AWS Regions for hosting their data based on data residency requirements:

• eu-west-1 (Europe - Ireland)

• us-east-1 (US - N.Virginia)
  ‍

4. Does Hypatos store or reuse processed data to train AI models?

We understand that data confidentiality is paramount. By default, Hypatos does not use sensitive customer data to train or improve AI models. The pre-trained foundation models we use are informed by context data provided by our customers. This data is not used for model training purposes. Hypatos will not train AI models without explicit client consent. We can also provide a fully self-contained deployment model to ensure that data never leaves your environment. For customers who do opt to share data for further model training, we take measures to anonymize and aggregate information to remove any identifying elements.
‍

‍5. Does Hypatos support Single Sign-On (SSO)?

Yes, Hypatos supports Single Sign-On (SSO) using SAML 2.0. This allows users to authenticate through their organization’s identity provider (IdP), enhancing security and simplifying access management.
‍

‍6. Do you provide Service Level Agreements (SLAs) for availability your cloud services?

Hypatos commits to offer availability Service Level Agreements (SLAs) between 98% and 99.5% depending on the subscription plan selected by the customer.
‍

‍7. What are the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for your cloud services?

We have established the following RTO and RPO targets for Hypatos Cloud:

• RTO: 24 hours

• RPO: 6 hour
  ‍

8. How does Hypatos handle incident response and breach notifications?

A: We have a documented Security Incident Response Plan that outlines the procedures for identifying, containing, eradicating, and recovering from security incidents. If a data breach occurs that affects customer data, we we will notify impacted customers within 72 hours of incident discovery. We also collaborate closely with your internal security and IT teams to implement remediation steps.
‍‍

9. Do you maintain a detailed list of implemented security measures?

A: Yes, please refer to our CAIQ which is available in the Documents section of our Trust Center.
‍

10. Can Hypatos provide references or case studies specific to Information Security?

Yes. We have worked with organizations in highly regulated industries like banking, healthcare, or insurance, where stringent security controls are non-negotiable. Specific references and case studies on how we meet complex compliance and security requirements can be provided on demand.
‍

‍11. Who can I contact for further security-related inquiries?

Hypatos has a dedicated Security & Compliance team that can be reached at security@hypatos.ai. We welcome the opportunity to discuss your specific requirements, provide documentation, or arrange consultations with our technical experts.

‍