H2Cyber generates plain-English score explanations, monthly report memos, policy documents, take-action guidance, and form auto-fills with Anthropic’s Claude models on Amazon Bedrock. Your data is not used to train any model and is not retained after a response is returned. This page lays out the architecture, the data flow, and what you can verify yourself.
Every Bedrock call carries the no-training header. Anthropic does not use your content to train any model under our agreement. This applies whether the data is your assessment answers, an uploaded policy, or a question on a vendor form.
Your prompt and the model’s response are not stored on the model provider’s side after the response is returned. We keep an audit log on our side so you can see what was generated when, for whom, and at what cost. That log is yours; you can request a copy.
Every AI-generated answer in the platform carries a citation back to the assessment field, audit history, regulatory section, or device record it was drawn from. If we don’t have the data, the answer says so. We don’t make things up.
| Feature | What it does | Inputs cited |
|---|---|---|
| Score translator | Plain-English explanation of any score numeral on the dashboard or report cover. | Assessment, audit history, NIST CSF 2.0, regulatory profile. |
| Monthly report memo | Two-paragraph cover memo and the “This month” interior page. Everything else on the report is structured templating, not AI. | Assessment, prior month, regulatory bulletins. |
| Policy studio | Information Security, DR/BCP, AUP, and Incident Response policies generated from your company info and assessment state. | Assessment, company info, regulatory profile. |
| Adaptive guidance | The take-action drawer prose that names your actual devices, your regulatory cites, and what’s already implemented. | Assessment, Syxsense device fleet, audit history, NIST CSF 2.0. |
| Form auto-fill | Cyber-insurance applications, customer security questionnaires, vendor-risk forms, populated from your assessment. | Assessment, Syxsense, company info. |
Assessment answers, device records pulled from Syxsense, and company info live in a tenant-isolated database row keyed to your account. They never leave your tenant on the H2Cyber side.
A voice file (the H2Cyber writing voice), a task-specific instruction, and the task-specific input drawn from your data. The voice file is the same for every customer; the input is yours.
We call Anthropic’s Claude through Bedrock’s Converse API with a no-training header attached. Bedrock processes the prompt, runs the model, and returns a response. The data is encrypted in transit and not used to train.
Our audit log records the task type, the model used, the latency, the cost, and the timestamp. The full prompt and response are kept only as long as needed to render the response in your UI; after that, only the structured output (e.g., the explanation text) is retained as part of your assessment record.
Every AI-generated answer in the platform carries a “Why this number?” or “Why this advice?” reveal that lists the inputs the model used and the model that generated the answer. Settings → AI features shows your monthly compute spend and a link to the full audit log of every call we made on your behalf.
The fastest, lightest model. Used for the 1–3 sentence popovers that explain what a score means in your business context. Optimized for low latency so the popover opens within a second.
The balanced model. Drives the take-action drawer prose and the form auto-fill answers, where length is moderate and citation discipline matters.
The largest model. Used for the long-form deliverables: policy documents and the monthly report memo. We use Opus only where the prose has to hold up to regulator review.
Email security@h2cyber.com. We respond within one business day. If you are a regulator or an underwriter asking on a customer’s behalf, we’ll route you to the right person and include a copy of the customer’s audit log on request, with their authorization.