Security & compliance
Transparency into how we protect your data, maintain compliance, and secure our infrastructure.
Built on Google Cloud.
Enterprise-grade infrastructure with certifications trusted by the world's most regulated industries. All data stored and processed in US regions.
Our SOC 2 Type II audit is on our roadmap for 2026–2027, once our customer mix justifies the audit cycle. Until then, our standing posture is documented in the Security Practices Overview and Questionnaire below, running on SOC 2-certified Google Cloud. The attestations listed below belong to Google Cloud Platform, not Hail Sentinel.
All Hail Sentinel infrastructure inherits the following attestations via Google Cloud Platform:
Primary region us-central1 · BigQuery US multi-region · Firestore nam5
Your data, protected at every layer.
Encryption, access control, and auditability baked into every request — from the mobile client to the BigQuery row.
Encrypted everywhere
AES-256 at rest, TLS 1.3 in transit. API keys cryptographically hashed. Webhook payloads signed with replay protection.
Access controlled
Role-based permissions. Scope-based API keys. Native device attestation on iOS and Android. Rate limiting on all endpoints.
Continuously audited
Comprehensive audit logs across all services. Structured request logging. Real-time monitoring with automated alerts.
SSRF protection
Private IP blocking on outbound requests. Validated webhook URLs. HTTPS enforced on every integration.
Privacy by design
Geohash discretization. Firebase UID pseudonymization. No ad tracking. No data selling.
Infrastructure as code
All resources defined in Terraform. Automated TFSec scanning on every deploy. Pinned versions, signed artifacts.
Frameworks we follow.
Meeting the standards your legal and security teams require.
How long we keep things.
Clear policies for how long we store each category of data and why.
Data deletion available on request under CCPA/CPRA and other U.S. state privacy laws. Contact privacy@hailsentinel.com.
Who else touches your data.
We carefully vet every third party that processes your data and give 30 days advance notice before adding or replacing one.
Our infrastructure architecture, encryption standards, access controls, compliance framework, incident response, and vendor management. Share with your security team or attach to compliance questionnaires.
Our standing answers to common third-party security questionnaire items — company info, data security, vendor management, business continuity, and compliance posture. Full SIG-Lite or CAIQ on request via legal@hailsentinel.com.
Our team is ready to discuss your security requirements, provide documentation, or address compliance questionnaire items.