Employee & Contractor Device Policy

Device hardening, MDM, BYOD limits and off-boarding for everyone with HookPilot access.

Version 1.0.0Effective May 30, 2026Last reviewed May 30, 2026
Plain-English summary. Anyone with HookPilot access works from a hardened, enrolled device. Personal laptops cannot touch production data. Phones used to receive MFA push notifications must have a passcode and remote-wipe enabled. Devices are wiped or returned at the end of the engagement.

1. Scope

This policy applies to every HookPilot Caption Studio LLC employee and contractor who accesses production systems, Customer Content, source code repositories, the secrets manager, or any other system handling Customer Content.

2. Approved Devices

  • Company-owned macOS laptops, latest two major OS versions.
  • Company-owned Windows 11 Pro laptops, current servicing channel.
  • Linux desktops (Ubuntu LTS, Fedora) used by engineering on the company-owned program.

3. Hardening Baseline

  • Full-disk encryption (FileVault, BitLocker, LUKS) enabled.
  • Auto-lock under 5 minutes.
  • OS firewall on; remote login off unless required.
  • Endpoint protection (EDR) installed and updated.
  • Browser updates auto-applied.
  • Local admin only for installs; daily work runs under non-admin account where possible.
  • Hardware security key (WebAuthn / FIDO2) provisioned for SSO.

4. MDM

Every approved device is enrolled in HookPilot's mobile device management before first production access. MDM enforces the baseline above, provides remote inventory, and supports remote lock / wipe.

5. BYOD Limits

Personal laptops cannot access production data, Customer Content, source code repositories, or the secrets manager. Personal devices may access only the public marketing site (hookpilot.co) and SSO-protected company SaaS tools that do not carry production data (calendar, docs without Customer Content). Contractors who do not receive a company device must use a dedicated MDM-enrolled device per Section 4.

6. Mobile Phones

Phones used for SSO push notifications, MFA, or HookPilot email must have: a screen lock (passcode or biometric); current OS within the vendor-supported window; and remote wipe enabled via the platform's native service or a sanctioned EMM profile.

7. Storage of Customer Content

Customer Content stays inside HookPilot-managed systems. Do not download Customer Content to local disk, personal cloud storage, removable drives, or note-taking apps. Where downloads are required (e.g., investigations), use approved encrypted enclaves and delete after use.

8. Lost or Stolen Device

Report immediately to security@hookpilot.co. -HPS will: revoke sessions, rotate secrets the device could have touched, push a remote wipe, freeze the SSO account pending verification, and open a SEV-2 ticket with mandatory PIR. There is no penalty for reporting a lost device promptly — there is a penalty for not reporting.

9. Acceptable Use of Devices

Company devices are for work. Light personal use is allowed but devices remain HookPilot property and subject to MDM. Do not install pirated software, do not jailbreak / root, do not disable EDR, do not connect to untrusted networks without the VPN where required.

10. Off-Boarding

On departure or end of engagement: device returned to HookPilot or remote-wiped by MDM; access revoked per the Security Access Policy §10; hardware key disabled; final inventory check by IT.