Hail Sentinel Intelligence Platform
Security Practices Overview
Confidential — For prospective and current customers
1
Executive Summary
Hail Sentinel is a real-time hail alerting and weather intelligence platform serving consumers and businesses across the United States and southern Canada. Our platform processes weather radar data and forecast models to deliver timely hail alerts via mobile push notifications, SMS, email, webhooks, and API. This document outlines our security practices, infrastructure architecture, and compliance framework.
2
Company Information
| Legal Entity | Icarus Inc. |
| Address | 170 S Lincoln St, STE 150, Washington, United States |
| Primary Contact | security@hailsentinel.com |
| Privacy Contact | privacy@hailsentinel.com |
| Products | Mobile App (iOS/Android), Business Console (Web), REST API |
3
Infrastructure Architecture
All Hail Sentinel services run on Google Cloud Platform (GCP) in the United States.
Compute & Hosting
- Cloud Run for API services and data pipeline jobs
- Firebase Cloud Functions for application logic
- Firebase Hosting for web properties
- Cloud Scheduler for cron-based triggers
Data Storage
- Firestore (NoSQL) — User accounts, locations, alert configurations
- BigQuery — Hail event analytics, historical data, pipeline health
- Cloud Storage — Map tiles, static assets, pipeline checkpoints
Messaging & Events
- Pub/Sub for event-driven pipeline orchestration
- Cloud Tasks for asynchronous processing
- Firebase Cloud Messaging (FCM) for push notifications
Infrastructure as Code
- All resources defined in Terraform
- Automated security scanning via TFSec
- Pinned provider versions and lock files
4
Data Protection
Encryption
| Layer | Standard | Implementation |
|---|---|---|
| Data at rest | AES-256 | Google-managed encryption keys for Firestore, BigQuery, Cloud Storage |
| Data in transit | TLS 1.3 | HTTPS enforced on all endpoints. Minimum TLS 1.2. |
| API keys | SHA-256 | Keys hashed before storage. Raw key shown once at creation. |
| Webhooks | HMAC-SHA256 | Payloads signed with timestamp. Replay protection included. |
Access Control
- Role-Based Access Control (RBAC) in Firestore Security Rules
- Scope-based API key permissions (
hail:read,alerts:manage,webhooks:manage, etc.) - Separate service accounts per pipeline with least-privilege IAM
- Firebase App Check with Apple AppAttest and Google Play Integrity
Network Security
- Content Security Policy (CSP) headers on all web properties
- Strict-Transport-Security (HSTS) with preload
- X-Content-Type-Options, X-Frame-Options: DENY
- Permissions-Policy restricting browser APIs
- CORS restricted to specific origins
- SSRF protection on outbound webhook requests (private IP blocking)
- Rate limiting: 60 requests/minute per API key
5
Application Security
Secure Development
- Terraform security scanning (TFSec) in CI/CD pipeline
- Dependabot for automated dependency vulnerability alerts
- Package lock files with
npm cifor reproducible builds - Pinned Docker base images (no
:latestin production) - Code signing for iOS and Android app binaries
Authentication
- Firebase Authentication with OAuth providers (Google, Apple)
- App Check device attestation on mobile
- SHA-256 hashed API keys for B2B access
- Separate test/live API key environments
Input Validation
- Parameterized BigQuery queries (no SQL injection)
- Coordinate validation on all location endpoints
- Webhook URL validation (HTTPS required, SSRF blocked)
6
Data Privacy
Compliance Frameworks
| Framework | Status | Details |
|---|---|---|
| GDPR | Compliant | Legal bases documented. DPA available. 72-hour breach notification. |
| CCPA/CPRA | Compliant | Right to know, delete, opt-out. 12-month disclosure. |
| CAN-SPAM | Compliant | Unsubscribe in all marketing emails. Physical address included. |
| ePrivacy | Compliant | Cookie consent banner. Analytics loaded only after opt-in. |
| OWASP Top 10 | Adherent | CSP, SSRF protection, secure auth, input validation. |
Privacy by Design
- Location data discretized via geohashing before storage in queries
- User identification by Firebase UID (pseudonymized)
- Minimal data collection — only fields necessary for service delivery
- No advertising tracking. No data selling.
Data Residency
- All data stored and processed in United States
- Primary region:
us-central1(Iowa) - BigQuery: US multi-region
- Firestore:
nam5(North America)
Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Active + 3 years after deletion |
| API logs | 90 days |
| Security audit logs | 3 years |
| Analytics | 26 months |
| Transaction records | 7 years (legal requirement) |
| Real-time location data | Processed in-memory, not stored |
Data Subject Rights
- Account deletion available via app settings or email request
- Data export available on request
- 30-day export window after contract termination
7
Incident Response
Breach Notification
- 72-hour notification to affected customers (per GDPR Article 33)
- Notification includes: nature of breach, data involved, likely consequences, remedial measures
- Breach registry maintained per GDPR Article 33(5)
Monitoring & Alerting
- BigQuery and Cloud Storage audit logging (
DATA_READ,DATA_WRITE) - Structured JSON request logging with business context
- Dead letter queue monitoring with automated alerts
- Cloud Run job failure alerting
- Pipeline health monitoring with custom metrics
8
Business Continuity
Fault Tolerance
- Dead letter queues on all Pub/Sub pipelines (max 5 delivery attempts)
- Exponential backoff retry policies (10s minimum, up to 600s)
- Graceful degradation in mobile app (offline mode with cached data)
- Health check endpoints with deep readiness probes
Data Durability
- Firestore: Multi-region replication (nam5)
- BigQuery: US multi-region with automatic replication
- Cloud Storage: Multi-region storage class
- Terraform state: Backed up to GCS
9
Vendor Management
All subprocessors are US-based. See full list at hailsentinel.com/legal/subprocessors.
| Vendor | Purpose | Certifications |
|---|---|---|
| Google Cloud Platform | Infrastructure | SOC 2, ISO 27001, PCI DSS, CSA STAR |
| Firebase | Auth & Database | SOC 2, ISO 27001 |
| RevenueCat | Subscriptions | SOC 2 |
| Twilio | SMS Delivery | SOC 2, ISO 27001 |
| SendGrid | Email Delivery | SOC 2, ISO 27001 |
30-day advance notice for subprocessor changes per DPA.
10
Certifications & Attestations
Via Google Cloud Platform:
SOC 1 Type II
SOC 2 Type II
SOC 3
ISO 27001
ISO 27017
ISO 27018
PCI DSS
CSA STAR
FedRAMP
11
Contact
| Security inquiries | security@hailsentinel.com |
| Privacy inquiries | privacy@hailsentinel.com |
| Legal & DPA | legal@hailsentinel.com |
| General support | support@hailsentinel.com |
| Vulnerability disclosure | /.well-known/security.txt |