We implement privacy by architecture, not privacy by policy. On-device processing means your neural patterns never need to leave your device. This architectural choice eliminates the largest attack vector in neurotechnology: data in transit.
We partner with IMEC Belgium and follow clinical-grade security standards because hospitals, researchers, and healthcare providers deserve systems they can trust with sensitive neuroscience data. Your trust is earned through transparent security practices, verifiable protections, and a commitment to continuous improvement.
Security Architecture Overview
On-Device Processing (Mentis Chip)
The Mentis chip is the cornerstone of Handran's security architecture. All neural signal processing happens locally on this proprietary processor—no internet connection is required for core device functionality.
- Local computation: Brain data is processed directly on the Mentis chip
- No mandatory cloud transmission: Neural signals never leave your device unless you explicitly enable optional cloud features
- On-device AI inference: NeuraTxT EEG to Text processing happens locally using embedded LLM models
- Real-time signal processing: Raw neural data is immediately converted to processed signals
- Attack vector elimination: This eliminates the largest security risk in cloud-based systems—sensitive data in transit
Data Encryption
At Rest
All data stored on NH1 devices or Handran's cloud infrastructure is encrypted using military-grade encryption standards.
- Algorithm: AES-256-GCM (Advanced Encryption Standard, 256-bit key, Galois/Counter Mode)
- Device-level encryption: Encryption keys are stored in hardware-protected secure enclaves on NH1 devices
- Scope: All neural data, session recordings, user preferences, and application data are encrypted when not actively in use
- Key management: Encryption keys never leave your device without explicit user authorization
In Transit
When you choose to sync data, all network communications are encrypted end-to-end.
- Protocol: TLS 1.3 for all network communications
- Certificate pinning: Applications use certificate pinning to prevent man-in-the-middle attacks
- End-to-end encryption: Optional cloud sync features use encryption that only your device can decrypt
- Zero unencrypted transmission: We never transmit neural data, session keys, or credentials in plaintext
- Perfect forward secrecy: Even if encryption keys are compromised, previous communications remain secure
Hardware Security
NH1 devices incorporate multiple layers of hardware-level security to prevent physical tampering and ensure the integrity of the Mentis chip.
Security Features
- Secure boot chain: Device firmware is verified and authenticated before execution
- Hardware-based key storage: Encryption keys are stored in tamper-resistant hardware modules, not in software memory
- Tamper detection mechanisms: Physical tampering with the device is detected and logged
- Firmware integrity verification: Device firmware cannot be modified or replaced without proper authentication
- IPC-A-610 Class II compliance: NH1 Max devices meet aerospace/defense manufacturing standards
Access Controls & Authentication
User Authentication
- Multi-factor authentication (MFA): Handran App accounts support MFA via authenticator apps and backup codes
- Device pairing authentication: New devices must be authenticated and paired with user accounts
- Session management: Automatic timeout after 30 minutes of inactivity; users can remotely log out of all sessions
- Biometric authentication: Optional fingerprint/face recognition for mobile app access
Enterprise & Researcher Access Control
- Role-based access control (RBAC): Neurocare Enterprise Pro supports granular permission models
- API key management: Developers can generate and revoke API keys with specific scopes
- Audit logging: All access to neural data is logged and auditable
- Single sign-on (SSO): Enterprise customers can integrate with SAML/OAuth2 identity providers
Compliance & Certifications
| Standard | Scope | Target | Status |
|---|
| SOC 2 Type II | Security, availability, and confidentiality | Q4 2026 | In Progress |
| ISO 27001 | Information Security Management System | Q2 2027 | Planned |
| HIPAA | Healthcare data protection | Q4 2026 | Aligned |
| GDPR | EU General Data Protection Regulation | Current | Compliant |
| CCPA | California Consumer Privacy Act | Current | Compliant |
Healthcare & Research Standards
- Research Use Only (RUO) designation: NH1 devices are currently designated for research use; not yet FDA-cleared
- FDA 510(k) pathway: Planned submission for 2027
- Data handling aligns with Declaration of Helsinki and ICH-GCP guidelines
- Data management procedures are compatible with IRB requirements
Incident Response
We maintain a dedicated security team prepared to respond to potential security incidents with speed and transparency.
Response Procedures
- 24-hour monitoring: Security incidents are monitored around the clock
- P1 (Critical): Active compromise of user neural data or widespread system failure
- P2 (High): Significant security vulnerability requiring urgent patching
- P3 (Medium): Moderate issue with limited user impact
- P4 (Low): Minor issues with no direct security impact
Communication & Remediation
- Users notified within 72 hours of a confirmed data breach (per GDPR)
- Post-incident reports are published publicly
- Critical issues receive emergency patches within 48 hours
- All significant incidents undergo root-cause analysis and documented remediation
Vulnerability Disclosure Program
We encourage responsible disclosure of vulnerabilities and will not pursue legal action against good-faith security researchers.
How to Report
Scope
- NH1 Pro, NH1 Max devices and firmware
- Mentis chip and on-device AI models
- Handran App (iOS, Android, Windows, macOS)
- Handran Cloud APIs and services
- Third-party integrations
Response Commitments
- Acknowledgment within 48 hours
- Triage and severity assessment within 5 business days
- Regular progress updates every 2 weeks
- Security patches typically within 30 days for critical issues
- Valid reports recognized in our Security Hall of Honor (with permission)
- No retaliation against responsible disclosure
Third-Party Security
Handran works with trusted partners including IMEC Belgium and Audio-Technica Japan.
Vendor Management
- Pre-onboarding security assessments for all vendors
- Legally binding Data Processing Agreements
- Annual third-party security audits
- Vendors only receive data necessary for their specific function
- Secure data deletion upon relationship end
Supply Chain Security
- Hardware manufacturing security managed through IMEC partnership
- Every device tracked from manufacture to delivery
- Firmware is cryptographically signed and verified
- Supply chain is auditable
Security Updates & Patches
Firmware Updates (NH1 Devices)
- Over-the-air (OTA) updates; devices check weekly
- Critical security patches automatically installed with notification
- All firmware changes documented in release notes
- Rollback capability to previous versions
- Cryptographically signed and verified before installation
Software Updates (Handran App)
- Automatic security updates via app stores
- Desktop clients check for updates automatically
- Security patches for app versions up to 2 years old
End-of-Life Policy
- Devices receive security updates for a minimum of 5 years after release
- Migration guidance provided after support ends
- Data export in open formats (EDF, BDF, CSV) at any time
Data Backup & Recovery
Local Backup
- Standard export formats: EDF, BDF, or CSV
- User-controlled backup to your own storage devices
- No dependency on Handran; exported data works with any compatible tool
Optional Cloud Backup
- Entirely optional and must be explicitly enabled
- End-to-end encrypted before leaving your device
- Automatic syncing on a schedule you choose
- Version history for recovery from accidental deletion
Contact Security Team
