Compliance and access control
This page covers the operator-facing compliance and access surfaces. For runtime data protection (encryption, RLS, provider keys), see Data protection and Provider keys.
DSAR exports
Section titled “DSAR exports”Hyponema can produce a per-user export of everything stored about them: profile fields, attributes, conversation transcripts, memory observations, supersede chains, post-session extraction records, and the relevant audit entries.
Request an export from Settings → Privacy → DSAR in the dashboard, or:
curl -X POST "https://api.hyponema.ai/workspaces/$WORKSPACE_ID/users/$USER_ID/export" \ -H "Authorization: Bearer $HYPONEMA_API_KEY"The response includes the export_id. The export runs as a background worker job. Poll with:
curl "https://api.hyponema.ai/workspaces/$WORKSPACE_ID/dsar-exports/$EXPORT_ID" \ -H "Authorization: Bearer $HYPONEMA_API_KEY"When the status is ready, GET .../download returns a signed link to the export archive. The archive is short-lived; subscribe to the dsar.ready webhook event if you want to automate delivery.
Retention
Section titled “Retention”Retention is configured per workspace. Sources of truth:
- Transcript retention applies to per-turn conversation rows.
- Memory observations follow engine retention policy and the supersede chains they participate in.
- Audit log retention is independent and typically longer than transcript retention.
When a retention window elapses, the compliance worker purges the affected rows. Active sessions are never truncated.
Audit log
Section titled “Audit log”Every privileged action against the workspace lands in the audit log: agent publishes / rollbacks, persona edits, member invites and role changes, API-key minting / revocation, credential rotations, DSAR exports, plan changes.
Read it from Settings → Audit log, or:
curl "https://api.hyponema.ai/workspaces/$WORKSPACE_ID/audit-log?limit=100" \ -H "Authorization: Bearer $HYPONEMA_API_KEY"The endpoint paginates and supports filters by actor, resource type, and time range.
Members and roles
Section titled “Members and roles”Workspace members are humans (or service users) who can sign in to the dashboard. Roles control what they can see and change:
| Role | Can do |
|---|---|
OWNER | Everything, including billing and member management. |
ADMIN | Everything except billing-restricted actions. |
DESIGNER | Manage agents, personas, voices, listening profiles, post-session runners, KB. |
DEVELOPER | Manage tools, webhooks, API keys, schedules, custom code surfaces. |
OPERATOR (where present) | Observability + memory inspection, no configuration changes. |
Invite members from Settings → Members:
curl -X POST "https://api.hyponema.ai/workspaces/$WORKSPACE_ID/members/invites" \ -H "Authorization: Bearer $HYPONEMA_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "email": "teammate@example.com", "role": "DESIGNER" }'Patch a role with PATCH /workspaces/{ws}/members/{client_id}. Resend a pending invite with POST /workspaces/{ws}/members/invites/{invite_id}/resend. Remove a member with DELETE.
SSO (SAML)
Section titled “SSO (SAML)”Hyponema supports SAML SSO at the workspace level. Configure it from Settings → SSO or:
curl -X PATCH "https://api.hyponema.ai/workspaces/$WORKSPACE_ID/sso/saml" \ -H "Authorization: Bearer $HYPONEMA_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "idp_metadata_url": "https://idp.example.com/metadata.xml", "default_role": "DESIGNER" }'Once configured, the dashboard SP-initiated flow routes through /auth/sso/saml. The default_role applied to newly-provisioned members is the floor; existing members keep their assigned roles.
API key management
Section titled “API key management”Workspace API keys authenticate server-to-server calls. They are prefixed hyp_, are minted from Settings → API keys, and are shown once at creation time:
curl -X POST "https://api.hyponema.ai/workspaces/$WORKSPACE_ID/api-keys" \ -H "Authorization: Bearer $HYPONEMA_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "name": "Backend service" }'The response includes the plaintext key — store it in your secret manager and never expose it to a browser. DELETE /workspaces/{ws}/api-keys/{id} revokes a key immediately.
Rotate keys regularly. If a key is leaked, revoke it from this surface and investigate via the audit log.
What gets logged where
Section titled “What gets logged where”| Action | Audit log | Observability | Outbound webhook |
|---|---|---|---|
| Agent publish / rollback | ✓ | — | — |
| Persona edit | ✓ | — | — |
| Member invite / role change | ✓ | — | — |
| API key mint / revoke | ✓ | — | — |
| DSAR export ready | ✓ | — | dsar.ready |
| Session start / end | — | ✓ | post_call_transcription |
| Tool call | — | ✓ | — |
| Webhook delivery attempt | — | ✓ | — |
| Escalation triggered | — | ✓ | escalation.triggered |
| Subscription / invoice events | ✓ | — | subscription.changed / invoice.paid / invoice.failed |