HexaEight® Partner Program

Verified is automatic.
Certified is earned.

Two tiers, one structural test. Deploy a HexaEight Marketplace VM and you're a Verified Partner from day one. To reach Certified, every identity you issue must carry your own root domain. We verify it through a reconciliation audit.

Two tiers, side by side

The fee is the smallest difference. The structural test is everything.

Verified Partner
Active HexaEight Marketplace VM
Free
Automatic on Marketplace VM deployment
Badge
HexaEight Verified Partner
What you get
  • Permission to resell HexaEight identities commercially
  • Display the "HexaEight Verified Partner" badge
  • Listed on the hexaeight.com partner directory
  • Operating model is yours to choose: resell licenses, host customer VMs, integrate into your own services
Conditions
  • Subject to spot-audit at HexaEight's discretion
  • 72-hour disclosure on any security or business-conduct incident affecting HexaEight-branded identities
Certified Partner
Reconciliation audit, 100% partner-domain compliance
$10K / year
Plus 1,000+ core annual license volume
Badge
HexaEight Certified Partner
What you get
  • Everything in Verified
  • Display the "HexaEight Certified Partner" badge
  • Featured placement on hexaeight.com
  • Dedicated support contact and roadmap briefings
  • Co-marketing and joint case study opportunities
Conditions
  • Annual reconciliation audit required to retain badge
  • Audit fee is non-refundable if compliance check fails
  • Demotion to Verified on discovery of any non-compliant identity in audit
  • 72-hour disclosure mandatory (same as Verified)
The Certified Test

One question. Yes or no.

Does every identity issued from your HexaEight Marketplace VMs carry your own root domain? If yes, the audit passes. If even one identity is hosted under someone else's domain, Certified status is not granted.

Example: Certified Partner deployment
agent01.newbank.partnerbank.ai
agent01.acmebank.partnerbank.ai
agent01.thirdcorp.partnerbank.ai

Every identity carries partnerbank.ai as the root. The customer subdomain in the middle is the audit trail. The partner has staked their brand on every install.

Example: Verified only (Certified fails)
bridge.newbank.com
bridge.acmecorp.com
bridge.thirdcorp.io

Three different customer-owned root domains on the same partner VM. Legitimate business (the partner is hosting customer-owned identities), but they aren't staking their own brand on anything. Verified is fine. Certified is not granted.

Deployment Variants

Two ways to deploy. Both pass the audit.

Where the VM runs doesn't matter. Whose root domain is on the identities does.

Variant A

Partner's own subscription

Partner runs HexaEight Marketplace VMs in their own Azure (or AWS, GCP) subscription. They pay for the compute. They host many customers per VM. The partner's product moat stays inside their infrastructure.

Best for: Multi-tenant SaaS platforms, vertical AI products, regional resellers.
Variant B

Customer's subscription, partner-controlled VM

Customer's Azure subscription pays for the compute, but the partner operates the VM and assigns partner-domain identities. DNS for the partner's identities points to the VM in the customer's subscription.

Best for: Enterprise integrators where customers want to own the compute spend; partner moat stays in the runtime.
Audit Method

Reconciliation, not surveillance

The audit doesn't read your source code, your customer contracts, or your business operations. It reconciles two lists.

1
HexaEight prepares the platform-side list

HexaEight queries its own platform records and produces a list of every identity activated under the applying partner's relationship. This is the ground truth. The partner can't curate, hide, or fake it.

2
Partner runs the HexaEight-provided audit tool

The tool scans the partner's registered Marketplace VMs, reads the hexaeightkeys.db files, extracts the login tokens, and reports the identity hostnames back to HexaEight. The partner runs it themselves; HexaEight does not need direct VM access.

3
HexaEight reconciles the two lists

Side-by-side: identities the platform recorded vs identities found on partner VMs. The audit checks whether every identity on the partner's VMs carries the partner's root domain.

4
Partner answers any mismatches

If identities exist on the platform but not on partner VMs (decommissioned? migrated?), the partner provides explanation with evidence. Reasonable answers close the gap.

5
Certified granted or denied

100% partner-domain compliance across the reconciled list = Certified, badge granted. Any non-compliant identity discovered = Certified denied, $10K audit fee is not refunded, partner remains Verified.

What the audit does not touch. HexaEight does not inspect partner source code, business logic, customer contracts, or product internals. The reconciliation only proves which identities exist and which root domain they carry. The partner's product moat stays inside their own environment.
Mandatory for both tiers

72-hour incident disclosure

If a HexaEight-branded identity is involved in a security incident, key compromise, customer complaint about misuse of HexaEight branding, fraud claim, or any business-conduct issue, the partner discloses to HexaEight within 72 hours. Non-disclosure suspends the Verified or Certified badge pending review.

Real Examples

Where partners land in the program

Same product, different operating shapes. The shape determines the tier.

Vertical AI product on customer infrastructure

Certified-eligible

A regional banking AI startup builds a Compliance Suite. They install HexaEight Marketplace VMs in each customer bank's Azure subscription, but they own and operate those VMs. Identities are issued as agent01.newbank.partnerbank.ai, agent01.acmebank.partnerbank.ai, agent01.thirdcorp.partnerbank.ai. Partner's root domain on every identity, customer subdomain in the middle. Partner moat (Compliance Suite logic) stays inside their VMs.

Multi-tenant agentic platform

Certified-eligible

A SaaS company runs an "agentic AI workflow platform." They host HexaEight Marketplace VMs in their own subscription. Every tenant signup automatically provisions an identity like tenant42.acmeagents.com inside their VM. Customers buy the platform; identity is a primitive they never have to think about.

Managed integration / systems integrator

Certified-eligible

A systems integrator wraps HexaEight identity into an enterprise customer's existing agent stack. They install a Marketplace VM (in either subscription), provision the identity under partner-domain (e.g., agent01.enterprisecust.si-partner.com), and own the operational lifecycle. Customer pays one invoice for software-with-services.

Regional cloud reseller / local SaaS vendor

Either tier

A regional cloud provider sells agentic identity to SMBs in their market with local currency, local invoicing, and a local support hotline. They run HexaEight Marketplace VMs and host identities for many small customers. If those identities carry the regional reseller's root domain, they qualify for Certified. If they carry each customer's own domain (raw license passthrough), they remain Verified.

VPS-style identity hosting

Verified only

A hosting provider deploys a Marketplace VM and rents identity slots to end customers. Each customer brings their own domain (bridge.newbank.com, bridge.acmecorp.com). The partner provides compute + the HexaEight platform but doesn't stake their own brand on any identity. Legitimate business; Verified Partner. Not eligible for Certified because the structural audit signal (partner domain on every identity) isn't there.

Apply for Certified status

Tell us how you operate today: how you deploy HexaEight Marketplace VMs, how you name your identities, and the volume you expect to hit. If you're already running Verified, applying for Certified is straightforward.

Apply via [email protected]