Hail Sentinel Intelligence Platform
Security Practices Overview
A reference document for prospective and current customers covering our infrastructure, encryption, access controls, compliance posture, and vendor footprint.
01
Executive summary
Hail Sentinel is a real-time hail alerting and weather intelligence platform serving consumers and businesses across the contiguous United States. Our platform processes weather radar data and forecast models to deliver timely hail alerts via mobile push notifications, SMS, email, webhooks, and API. This document outlines our security practices, infrastructure architecture, and compliance framework.
02
Company information
| Legal entity | Icarus Inc. |
| Address | 170 S Lincoln St, STE 150, Spokane, WA, United States |
| Primary contact | security@hailsentinel.com |
| Privacy contact | privacy@hailsentinel.com |
| Products | Mobile App (iOS/Android), Business Console (Web), REST API |
03
Infrastructure architecture
All Hail Sentinel services run on Google Cloud Platform (GCP) in the United States.
Compute & hosting
- Cloud Run for API services and data pipeline jobs
- Firebase Cloud Functions for application logic
- Firebase Hosting for web properties
- Cloud Scheduler for cron-based triggers
Data storage
- Firestore (NoSQL) — User accounts, locations, alert configurations
- BigQuery — Hail event analytics, historical data, pipeline health
- Cloud Storage — Map tiles, static assets, pipeline checkpoints
Messaging & events
- Pub/Sub for event-driven pipeline orchestration
- Cloud Tasks for asynchronous processing
- Firebase Cloud Messaging (FCM) for push notifications
Infrastructure as code
- All resources defined in Terraform
- Automated security scanning via TFSec
- Pinned provider versions and lock files
04
Data protection
Encryption
| Layer | Standard | Implementation |
|---|---|---|
| Data at rest | AES-256 | Google-managed encryption keys for Firestore, BigQuery, Cloud Storage |
| Data in transit | TLS 1.3 | HTTPS enforced on all endpoints. Minimum TLS 1.2. |
| API keys | SHA-256 | Keys hashed before storage. Raw key shown once at creation. |
| Webhooks | HMAC-SHA256 | Payloads signed with timestamp. Replay protection included. |
Access control
- Role-Based Access Control (RBAC) in Firestore Security Rules
- Scope-based API key permissions (
hail:read,alerts:manage,webhooks:manage, etc.) - Separate service accounts per pipeline with least-privilege IAM
- Firebase App Check with Apple AppAttest and Google Play Integrity
Network security
- Content Security Policy (CSP) headers on all web properties
- Strict-Transport-Security (HSTS) with preload
- X-Content-Type-Options, X-Frame-Options: DENY
- Permissions-Policy restricting browser APIs
- CORS restricted to specific origins
- SSRF protection on outbound webhook requests (private IP blocking)
- Rate limiting: 60 requests/minute per API key
05
Application security
Secure development
- Terraform security scanning (TFSec) in CI/CD pipeline
- Dependabot for automated dependency vulnerability alerts
- Package lock files with
npm cifor reproducible builds - Pinned Docker base images (no
:latestin production) - Code signing for iOS and Android app binaries
Authentication
- Firebase Authentication with OAuth providers (Google, Apple)
- App Check device attestation on mobile
- SHA-256 hashed API keys for B2B access
- Separate test/live API key environments
Input validation
- Parameterized BigQuery queries (no SQL injection)
- Coordinate validation on all location endpoints
- Webhook URL validation (HTTPS required, SSRF blocked)
06
Data privacy
Compliance frameworks
| Framework | Status | Details |
|---|---|---|
| CCPA / CPRA | Compliant | Right to know, delete, correct, opt-out. 12-month disclosure. GPC honored. |
| VCDPA, CPA, CTDPA, UCPA, TDPSA | Compliant | Virginia, Colorado, Connecticut, Utah, and Texas state privacy laws. Right to access, delete, correct, appeal. |
| COPPA | Compliant | Service not directed to children under 13. No knowing collection. |
| CAN-SPAM | Compliant | Unsubscribe in all marketing emails. Physical address included. |
| OWASP Top 10 | Adherent | CSP, SSRF protection, secure auth, input validation. |
Privacy by design
- Location data discretized via geohashing before storage in queries
- User identification by Firebase UID (pseudonymized)
- Minimal data collection — only fields necessary for service delivery
- No advertising tracking. No data selling.
Data residency
- All data stored and processed in United States
- Primary region:
us-central1(Iowa) - BigQuery: US multi-region
- Firestore:
nam5(North America)
Data retention
| Data type | Retention period |
|---|---|
| Account data | Active + 3 years after deletion |
| API logs | 90 days |
| Security audit logs | 3 years |
| Analytics | 26 months |
| Transaction records | 7 years (legal requirement) |
| Real-time location data | Processed in-memory, not stored |
Data subject rights
- Account deletion available via app settings or email request
- Data export available on request
- 30-day export window after contract termination
07
Incident response
Breach notification
- Notification to affected customers within the timelines required by applicable U.S. state breach notification laws (typically 30–60 days, expedited where required)
- Notification includes: nature of breach, categories of data involved, likely consequences, remedial measures, and contact for follow-up
- Breach registry maintained internally with root-cause analysis and remediation tracking
Monitoring & alerting
- BigQuery and Cloud Storage audit logging (
DATA_READ,DATA_WRITE) - Structured JSON request logging with business context
- Dead letter queue monitoring with automated alerts
- Cloud Run job failure alerting
- Pipeline health monitoring with custom metrics
08
Business continuity
Fault tolerance
- Dead letter queues on all Pub/Sub pipelines (max 5 delivery attempts)
- Exponential backoff retry policies (10s minimum, up to 600s)
- Graceful degradation in mobile app (offline mode with cached data)
- Health check endpoints with deep readiness probes
Data durability
- Firestore: Multi-region replication (nam5)
- BigQuery: US multi-region with automatic replication
- Cloud Storage: Multi-region storage class
- Terraform state: Backed up to GCS
09
Vendor management
All subprocessors are US-based. See full list at hailsentinel.com/legal/subprocessors.
| Vendor | Purpose | Certifications |
|---|---|---|
| Google Cloud Platform | Infrastructure | SOC 2, ISO 27001, PCI DSS, CSA STAR |
| Firebase | Auth & Database | SOC 2, ISO 27001 |
| RevenueCat | Subscriptions | SOC 2 |
| Twilio | SMS Delivery | SOC 2, ISO 27001 |
| SendGrid | Email Delivery | SOC 2, ISO 27001 |
| Stripe | Payments (console) | PCI DSS, SOC 2, ISO 27001 |
| Google Analytics 4 | Analytics (opt-out) | SOC 2, ISO 27001 |
| Microsoft Clarity | Analytics (opt-out) | SOC 2, ISO 27001 |
Business customers receive at least 30 days advance notice for subprocessor changes.
10
Certifications & attestations
Via Google Cloud Platform:
SOC 1 Type II
SOC 2 Type II
SOC 3
ISO 27001
ISO 27017
ISO 27018
PCI DSS
CSA STAR
FedRAMP
11
Contact
| Security inquiries | security@hailsentinel.com |
| Privacy inquiries | privacy@hailsentinel.com |
| Legal | legal@hailsentinel.com |
| General support | support@hailsentinel.com |
| Vulnerability disclosure | /.well-known/security.txt |
For procurement and third-party risk teams: see our standing security questionnaire response for SIG-Lite-style answers, or request a full SIG-Lite or CAIQ via legal@hailsentinel.com.