Cybersecurity Policy

Tenant isolation, encryption, incident response, and certification roadmap.

Version 2.0.0 Effective May 28, 2026 Last reviewed May 28, 2026

Plain-English summary. Every workspace is isolated. Data is encrypted in transit and at rest. A dedicated internal department (-HPS) runs our security operations 24/7. We follow incident-response runbooks aligned with SEC 4-day, GDPR 72-hour, HIPAA 60-day and state notification rules. SOC 2 Type II and ISO 27001 are on our published roadmap.

1. Security Program

HookPilot operates a documented information security program aligned with NIST CSF 2.0, the CIS Controls, and the OWASP ASVS. The program is owned by HookPilot's executive leadership and operated day-to-day by the HookPilot Internal Security department (-HPS). The program is reviewed at least annually and after any material change to the platform.

2. Tenant Isolation

Each customer workspace is logically isolated. Customer Content, agent memory, audit logs, and operational data are scoped per tenant at the database, cache, and storage layers, and tenant identifiers are enforced server-side on every request. Cross-tenant access by HookPilot personnel requires a documented business justification, time-bound elevation, and is logged for audit.

3. Encryption

Data in transit is protected with TLS 1.2 or higher using modern cipher suites. Data at rest in our managed databases, object storage, and backups is encrypted with provider-managed keys using AES-256 or stronger. Secrets are stored in a dedicated secrets manager with audit logging. Encryption-key rotation follows provider defaults or our internal schedule, whichever is shorter.

4. Access Controls

HookPilot enforces least-privilege access, role-based access control (RBAC), single sign-on (SSO) for our staff, multi-factor authentication on all consoles, separation of duties for production changes, and just-in-time elevation for break-glass access. Customer-facing SSO/SAML and SCIM provisioning are available on Enterprise plans.

5. Internal Security Operations Center (-HPS)

The HookPilot Internal Security department is an internal-only SOC staffed by named agents — Vault, Guard, Sweep, Trace, Codex, and Shield — that orchestrate vulnerability triage, anomaly investigation, breach disclosure (SEC 4-day / GDPR 72-hour / HIPAA 60-day / NYDFS 72-hour / state AG rules), and audit response. -HPS is not sold to customers. Customer-facing security services are delivered by our customer-facing Cyber Security department.

6. Vulnerability Management

Dependency scanning

Automated scans on every build with severity-based SLAs.

Static analysis

SAST in CI, fail-the-build on critical findings.

Container hardening

Minimal images, non-root, signed and pinned.

Pen testing

Annual third-party penetration test; report summary on request under NDA.

Patch SLAs

Critical: 7 days. High: 30 days. Medium: 90 days. Low: best effort.

Bug bounty

Coordinated disclosure via security@hookpilot.co.

7. Logging and Monitoring

HookPilot collects application logs, authentication events, admin actions, security events, and infrastructure metrics. Logs are centralized, time-synced, integrity-protected, and retained for up to two (2) years. Alerts feed the -HPS runbook and on-call rotation. Customer-visible audit logs are exposed inside the workspace and via API.

8. Backups and Disaster Recovery

HookPilot maintains encrypted backups with a documented RPO and RTO that are reviewed at least annually. Disaster-recovery exercises are scheduled and the results are reviewed by leadership. Backups age out automatically per the schedule in the Data Deletion Policy.

9. Incident Response

HookPilot follows a documented incident response process: detection → triage → containment → eradication → recovery → post-incident review. For confirmed personal-data breaches, we notify affected customers and regulators within the timelines required by applicable law (e.g., 72 hours for GDPR / UK GDPR, 60 days for HIPAA, applicable US state thresholds for state notifications, 4 business days for material SEC cybersecurity incidents when applicable). Post-incident reviews produce remediation tickets that are tracked to closure.

10. Vendor and Sub-Processor Risk

Sub-processors are vetted before onboarding (security questionnaires, SOC 2 / ISO 27001 reports where available, DPAs) and re-reviewed annually. The current list of sub-processors is published in our Privacy Policy §8.

11. Personnel

HookPilot staff and contractors complete background checks where permitted, sign our NDA and (for engineers) Contractor Agreement with IP assignment, and complete security awareness training at hire and annually thereafter. Access to production is granted on a need-to-know basis and revoked promptly upon role change or departure.

12. Certifications and Audits

HookPilot's published roadmap targets SOC 2 Type II first, followed by ISO 27001 and verticalized attestations (HIPAA-readiness for healthcare customers, PCI-DSS scope-minimization for the billing surface). Customers can request the latest attestation status and external audit summaries under NDA at security@hookpilot.co. We do not claim certifications we have not yet completed.

13. Responsible Disclosure

If you believe you have found a security vulnerability in HookPilot, please email security@hookpilot.co. We commit to acknowledging within 72 hours and working with you in good faith. Do not access data you are not authorized to access, do not run DoS attacks, and do not publicly disclose before we have had reasonable time to remediate.

14. Contact

Security operations: security@hookpilot.co
Customer trust questions: support@hookpilot.co