Security Questionnaire Response

A SIG-Lite-style standing response covering common third-party risk-management items. Hand to your security team, attach to procurement, or print as a PDF. Full SIG-Lite or CAIQ available on request to legal@hailsentinel.com.

Data security

Encryption at rest: AES-256 across all data stores (Firestore, BigQuery, Cloud Storage). Keys managed by Google Cloud KMS with automatic rotation.
Encryption in transit: TLS 1.3 for all client-server and inter-service traffic. HSTS enforced on every web property; HTTPS-only cookies; secure flag on all session tokens.
Authentication: Firebase Authentication with email + password, Apple, and Google sign-in. Optional MFA for end-user accounts. SAML 2.0 SSO and SCIM provisioning are on the Enterprise roadmap.
API authentication: API keys cryptographically hashed (SHA-256) at rest. Scope-based authorization (e.g. hail:read, alerts:manage). 60 req/min default rate limit; uplift available per contract.
Webhook security: Outbound webhook URLs validated and resolved against a private-IP blocklist (SSRF protection). All payloads signed with an HMAC-SHA256 secret per integration. Replay protection via timestamp + nonce.
Logging: Structured JSON logs to Google Cloud Logging. 90-day retention on application logs; 3-year retention on security-relevant audit logs. Logs scrubbed of PII at the source.
PII handling: Real-time location coordinates are processed in-memory and not persisted as raw lat/lon. Saved locations are discretized to a geohash. User identifiers are Firebase UIDs, not email or phone.
Data residency: All data stored and processed in U.S. regions: BigQuery US multi-region; Firestore nam5; Cloud Run + Functions in us-central1.
Data deletion: Account deletion available in-app and via written request to privacy@hailsentinel.com. CCPA/CPRA + state-law-compliant. Backups expire on a 30-day rolling window.
Backups: Automated Firestore backups; restore procedures documented.

Application security

SDLC: Branching strategy with mandatory PR review on main. CI runs lint + type checks + unit tests + dependency audit before merge. CodeQL static analysis on every push.
Dependency management: Automated npm audit + pip-audit on every CI run; weekly Renovate-style dependency PRs. Pinned versions in lockfiles.
Secrets management: No secrets in source. Runtime secrets in Google Secret Manager + GitHub Actions encrypted secrets. Pre-commit hooks block accidental .env/credential commits.
Vulnerability disclosure: Email security@hailsentinel.com with PGP encryption supported. Acknowledgement within 1 business day; coordinated disclosure timeline standard 90 days.
OWASP Top 10: Mitigated by design: parameterized queries (BigQuery), CSP + HSTS headers, scope-based RBAC, signed webhooks, SSRF protection on outbound HTTP, rate limiting, audit logging.
Penetration testing: Roadmap item for 2026 once we have additional regulated-industry customers. Currently rely on Google Cloud Security Scanner + CodeQL + automated dependency scanning.
Mobile app security: Native device attestation via Firebase App Check (iOS DeviceCheck / Android Play Integrity). TLS 1.2+ enforced on all API traffic. No sensitive data persisted to local storage outside the OS keychain.

Vendor & subprocessor management

Subprocessor list: Published at /legal/subprocessors. Includes Google Cloud Platform, Firebase, RevenueCat, Twilio, and SendGrid as of 2026.
Vendor onboarding: Each subprocessor reviewed for SOC 2 / ISO 27001 attestation, U.S. data residency, and DPA execution before onboarding. Quarterly review of active vendors.
Customer notification: We give 30 days advance notice before adding or replacing a subprocessor. Notification is via in-product banner + email to the registered admin contact.
Cross-border transfer: No EU/UK personal data is processed today. Should that change we will execute Standard Contractual Clauses (SCCs) with each subprocessor and update this document.

Business continuity & incident response

Uptime target: 99.5% on standard plans; custom SLA available on Enterprise. Live status: /status.
RTO / RPO: Disaster-recovery procedures are documented; formal RTO/RPO targets are on our roadmap.
Disaster recovery: Multi-zone deployment across us-central1. Multi-region BigQuery dataset. Cold-start recovery runbook documented.
Incident response: Founder-led monitoring with automated alerting; a formal on-call rotation is on our roadmap as the team grows. Customer notification target: 4 hours for confirmed material impact.
Breach notification: Documented breach-notification process targeting customer notification within 72 hours of confirmation, consistent with CCPA/CPRA + state-law requirements.
Status page: Live at /status covering ingest, alerting, API, mobile auth, and the operator console. Updated automatically from health-check probes plus manual incident overrides.

Compliance posture

Underlying-infrastructure attestations: Inherited from Google Cloud Platform: SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, PCI DSS, CSA STAR. Reports available via the GCP Compliance Resource Center on request.
Privacy law compliance: CCPA / CPRA (California). State privacy laws active in CO, CT, TX, UT, VA. COPPA-compliant (no users under 13). CAN-SPAM-compliant on all email.
GDPR / UK GDPR: No EU/UK personal data is processed at this time. We will execute SCCs and stand up an EU representative before processing any EU personal data.
Hail Sentinel SOC 2: Type 2 audit roadmap item for 2026/2027 once customer mix justifies the audit-cycle cost. Until then we rely on inherited GCP controls + this document + the Security Practices Overview as our standing posture statement.
HIPAA: Not applicable — Hail Sentinel does not process PHI and does not enter into BAAs.
Industry-specific frameworks: On request we will complete a SIG-Lite or CAIQ — typical turnaround 5 business days. Email legal@hailsentinel.com.

Company information

Data security

Application security

Vendor & subprocessor management

Business continuity & incident response

Compliance posture