Skip to main content
Hopx provides enterprise-grade security through complete isolation, encrypted storage, and secure secrets management.

Isolation

Each sandbox is fully isolated from others and the host system:
  • Separate filesystem: Each sandbox has its own isolated filesystem
  • Separate network namespace: Each sandbox has its own network stack
  • Separate process tree: Processes cannot access other sandboxes
  • Resource limits: CPU, memory, and disk limits are enforced
Complete isolation ensures that code running in one sandbox cannot access or interfere with other sandboxes or the host system.

Security Model

Filesystem Isolation

Each sandbox has its own filesystem that is completely separate:
  • Python
  • JavaScript/TypeScript
from hopx_ai import Sandbox

# Sandbox 1
sandbox1 = Sandbox.create(template="code-interpreter")
sandbox1.files.write("/workspace/data.txt", "Sandbox 1 data")

# Sandbox 2 (completely separate)
sandbox2 = Sandbox.create(template="code-interpreter")
# Cannot access sandbox1's files

sandbox1.kill()  # Cleanup
sandbox2.kill()  # Cleanup

Network Isolation

Each sandbox has its own network namespace:
  • Separate IP addresses: Each sandbox has its own IP
  • No inter-sandbox communication: Sandboxes cannot directly communicate
  • Controlled outbound access: Outbound requests are monitored and logged
  • Secure inbound access: Inbound access requires authentication

Process Isolation

Processes in one sandbox cannot access processes in another:
  • Separate process IDs: Each sandbox has its own process namespace
  • Resource limits: CPU and memory limits prevent resource exhaustion
  • No host access: Processes cannot access the host system

Secrets Management

Never hardcode secrets in your code. Always use environment variables:
  • Python
  • JavaScript/TypeScript
from hopx_ai import Sandbox

# ✅ Good: Pass secrets via environment variables
sandbox = Sandbox.create(
    template="code-interpreter",
    env_vars={
        "DATABASE_PASSWORD": "secret123",
        "API_KEY": "key-abc"
    }
)

# Use secrets in code
result = sandbox.run_code("""
import os
password = os.getenv('DATABASE_PASSWORD')
api_key = os.getenv('API_KEY')
# Use secrets securely
""")

sandbox.kill()  # Cleanup
Never hardcode secrets in your code! Always use environment variables or secrets managers.

Best Practices

Always pass secrets via environment variables:
  • Python
  • JavaScript/TypeScript
import os

# ✅ Good: Read from environment
api_key = os.getenv('API_KEY')

sandbox = Sandbox.create(
    template="code-interpreter",
    env_vars={"API_KEY": api_key}
)

sandbox.kill()  # Cleanup
For production, use secrets managers (AWS Secrets Manager, HashiCorp Vault, etc.):
  • Python
  • JavaScript/TypeScript
import boto3
import json
from hopx_ai import Sandbox

# Get secret from AWS Secrets Manager
client = boto3.client('secretsmanager')
response = client.get_secret_value(SecretId='hopx-ai/secrets')
secrets = json.loads(response['SecretString'])

sandbox = Sandbox.create(
    template="code-interpreter",
    env_vars=secrets
)

sandbox.kill()  # Cleanup
Never hardcode secrets in your code:
  • Python
  • JavaScript/TypeScript
# ❌ Bad: Hardcoded secret
# sandbox = Sandbox.create(
#     template="code-interpreter",
#     env_vars={"PASSWORD": "hardcoded-secret-123"}
# )

Automatic Cleanup

Sandboxes automatically delete after:
  • Inactivity timeout: 1 hour of inactivity (configurable)
  • Max lifetime: 24 hours maximum (configurable)
  • Manual deletion: sandbox.kill()
  • Python
  • JavaScript/TypeScript
from hopx_ai import Sandbox

# Sandbox will auto-delete after inactivity or max lifetime
sandbox = Sandbox.create(template="code-interpreter")

# Or manually delete
sandbox.kill()
Automatic cleanup ensures that sandboxes don’t accumulate and consume resources unnecessarily. Always clean up sandboxes when done to minimize costs.

Encryption

All data is encrypted:
  • Encrypted at rest: All filesystem data is encrypted
  • Encrypted in transit: All network traffic uses TLS/SSL
  • Secure storage: Secrets are stored securely

Compliance

Hopx follows industry security standards:
  • SOC 2 Type II: Enterprise compliance certified
  • Data encryption: All data encrypted at rest and in transit
  • Access controls: API key authentication and authorization
  • Audit logging: All operations are logged for security auditing

Security Best Practices

Rotate your API keys every 90 days or when team members leave.
Use separate API keys for development, staging, and production.
Set up alerts for unusual activity in the dashboard.
Never share API keys in chat, email, or commit them to version control.
Never log API keys or secrets in plain text. Always redact sensitive information.

Next Steps

Core Concepts

Back to Core Concepts overview

Authentication

Learn about API key management

Networking

Understand network security

Filesystem

Learn about filesystem isolation