# Network Security at Hyp We've built our network with security as the foundation, using multiple layers of protection to keep cardholder data safe. Our approach is based on the principle that no network traffic should be trusted by default – everything must be verified and authorized. ## Network security overview Hyp's network security follows a zero-trust architecture where all connections must be authenticated, authorized, and encrypted regardless of origin. The infrastructure uses defense-in-depth with multiple security layers, including dedicated cardholder data environment (CDE) segments, VLANs, firewalls, and software-defined networking. All systems are hardened according to industry standards, with vendor defaults changed, unnecessary services removed, and continuous monitoring for threats and configuration drift. ## Security controls and monitoring The platform implements comprehensive security controls, including stateful inspection firewalls with least-privilege rules, quarterly vulnerability scans, monthly internal assessments, and annual penetration testing. Real-time intrusion detection and prevention systems monitor all network segments, supported by 24/7 security operations center coverage. Patch management ensures critical updates are deployed within 30 days, with emergency patches available within 24 hours for zero-day vulnerabilities. ## Supported cipher suites We maintain strong encryption standards across all network communications using carefully selected cipher suites: **TLS 1.3 (Preferred):** * TLS\_AES\_256\_GCM\_SHA384 * TLS\_CHACHA20\_POLY1305\_SHA256 * TLS\_AES\_128\_GCM\_SHA256 **TLS 1.2 (Supported):** * TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 * TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 * TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384 * TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256 * TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384 * TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256 * TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA256 * TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA256 These cipher suites are regularly updated based on security research and industry recommendations. We recommend matching your configuration to our supported list for optimal compatibility and security. ## Shared responsibility model Security responsibilities vary by integration type: * **SAQ A merchants** have zero network security responsibilities, as Hyp handles everything. * **SAQ A-EP merchants** are responsible for managing their web environment that collects card data, while Hyp covers all other controls. * **SAQ D merchants** and Hyp share most security responsibilities, with coordinated management across both environments. {% hint style="info" %} **Shared Responsibility Matrix:** The responsibilities for each side are detailed in the shared responsibility matrix, available upon request [from your Hyp representative](mailto:sales@hyp.co.il). Key shared controls include coordinated vulnerability remediation, incident response, and compliance reporting. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://developers.hyp.co.il/advanced-security-guidelines/network-security-at-hyp.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.