Compliance & Security
US Enterprise security and compliance practices designed to support procurement and audit review. North American frameworks first, then Latin American, then global — reflecting HailBytes’ US-headquartered customer base.
Defense-in-Depth Architecture
HailBytes SAT and HailBytes ASM address the human and perimeter layers of a layered security architecture.
Defense-in-Depth - Five security layers from human awareness to data protection
Compliance Framework Mapping
See how HailBytes SAT and HailBytes ASM map to major compliance frameworks and produce auditor-ready evidence.
Framework Mapping — what HailBytes products produce for your audits, across 14 frameworks in North American, Latin American, and global regions
ASM Compliance Reports
HailBytes ASM produces auditor-ready PDF reports mapped to eleven compliance frameworks. Organized below by region — North American first (the frameworks US Enterprise procurement most commonly requests), then Latin American, then global. Reports cover the controls that an attack surface management programme is expected to evidence, not full framework certification.
North American Frameworks
The eight frameworks US Enterprise procurement teams, federal contractors, healthcare covered entities, and financial institutions most frequently request.
SOC 2 Type II (CC7.x)
SOC 2 Common Criteria 7.1–7.5 (system monitoring, vulnerability identification, change tracking) backed by scan history and audit logs. The primary US Enterprise procurement attestation; SOC 2 Type 2 direct audit engagement with Jack Moore Group in late-stage contracting, target attestation 2026-H2 to 2027-Q1 (contingent on observation-window completion).
NIST CSF 2.0
NIST Cybersecurity Framework 2.0 control mapping across Identify, Protect, and Detect functions, with per-control evidence pulled from scan output. Authored by the US National Institute of Standards and Technology.
HIPAA Security Rule
HIPAA 164.308 administrative safeguards and 164.312 technical safeguards, suitable for inclusion as evidence in a HIPAA risk analysis. For US healthcare covered entities and business associates; BAA available on request.
GLBA Safeguards Rule
Gramm-Leach-Bliley Act Safeguards Rule mappings for US financial institutions: continuous asset visibility, access controls, encryption evidence, and vulnerability management records for Section 314.4 documentation. For banks, credit unions, insurance, and mortgage lenders.
PCI DSS 4.0
Continuous external scanning evidence aligned to PCI DSS 4.0 requirements 11.3 (external vulnerability scans) and 6.3 (vulnerability ranking). PCI Security Standards Council is US-led; standard is heavily adopted across North American card-processing entities.
FedRAMP Moderate
FedRAMP Moderate baseline mappings (RA-5, CM-7, SI-2, SI-4) suitable for inclusion as evidence in a US federal-cloud authorization package. Pairs with the AWS GovCloud (US) / Azure Government deployment story for US federal agencies and contractors.
NYDFS 23 NYCRR Part 500
New York State Department of Financial Services Cybersecurity Regulation, with mappings to 500.5 (vulnerability assessments) and 500.9 (risk assessment). For US-regulated financial entities meeting Section 500 requirements.
CIS Controls v8 IG1 & IG2
CIS Critical Security Controls v8 IG1 + IG2: asset inventory, secure configuration, and continuous vulnerability management controls at both implementation group depths. Maintained by the Center for Internet Security, a US-based nonprofit.
Latin American Frameworks
ASM ships a published LGPD report template; the broader LatAm control mappings (BACEN, LFPDPPP, Argentina) are published in the open-source HailBytes LatAm compliance reference.
LGPD (Lei Geral de Proteção de Dados)
Brazil’s General Data Protection Law Article 46 (security measures): continuous exposure monitoring, encryption evidence, and access-control audit logs suitable for ANPD audit packages. Supported regions: sa-east-1, brazilsouth.
BACEN Resolução 4.893
Brazilian Central Bank cybersecurity policy for regulated financial institutions: continuous attack-surface visibility, incident detection, and reporting evidence. Control mappings published in the LatAm compliance reference.
LFPDPPP (Mexico)
Mexico’s Ley Federal de Protección de Datos Personales en Posesión de los Particulares: technical and administrative security measures, breach notification framing, INAI audit-ready evidence. Mappings in the LatAm reference repo.
Ley 25.326 (Argentina)
Argentina’s personal data protection law (Ley de Protección de los Datos Personales): security measures, registration and transfer obligations, and AAIP audit-package evidence. Mappings in the LatAm reference repo.
Global & International Frameworks
Globally-recognized standards for international procurement. ISO 27001 formal certification is evaluated post-SOC 2 Type 2 attestation; GDPR DPO is designated to David McHale.
ISO/IEC 27001:2022
Annex A controls A.5.7 (threat intelligence), A.8.8 (technical vulnerabilities), A.8.9 (configuration management), and A.8.16 (monitoring activities), refreshed for the 2022 revision. International ISO standard.
GDPR Article 32 (EU)
EU General Data Protection Regulation Article 32 (security of processing): pseudonymisation evidence, ongoing CIA testing, and a process for regularly testing the effectiveness of technical measures.
Adding a framework is one YAML block plus one report-template stub. Custom mappings available on request.
Security & Compliance Practices
Practices grouped by region: North American frameworks first (the US Enterprise procurement priority), then Latin American, then global.
North American Practices
SOC 2 Aligned Practices (US AICPA)
HailBytes’ cloud infrastructure and operational controls follow SOC 2 Type II framework principles for security, availability, and confidentiality. SOC 2 is the primary attestation US Enterprise procurement teams require.
Status: Type 2 direct engagement with Jack Moore Group, signature imminent; target attestation 2026-H2 to 2027-Q1
Practices: Security controls, monitoring, incident response
Scope: HailBytes ASM and HailBytes SAT
NIST Cybersecurity Framework
HailBytes security operations align with the US National Institute of Standards and Technology Cybersecurity Framework guidelines for identifying, protecting, detecting, responding to, and recovering from cybersecurity threats.
Status: Aligned
Framework: NIST CSF 2.0
Coverage: Govern, Identify, Protect, Detect, Respond, Recover
HIPAA Compliance (US Healthcare)
HailBytes products can be deployed in HIPAA-compliant configurations for US healthcare covered entities and business associates. Business Associate Agreements (BAA) available on request.
Status: Supported
Features: Encryption, audit logging, access controls
BAA: Available upon request to contracts@hailbytes.com
PCI-DSS Support
HailBytes ASM produces external-scan evidence for PCI DSS 4.0 Req. 11.3 and 6.3. HailBytes SAT supports organizations meeting PCI-DSS Requirement 12.6 for security awareness training and phishing simulation programs.
Status: Supported
Use Case: Card-processing entities (US-led PCI SSC)
Documentation: Auditor-ready PCI DSS 4.0 reports
GLBA – Gramm-Leach-Bliley Act (US Financial)
HailBytes ASM produces Safeguards Rule evidence for US financial institutions: continuous asset visibility, encryption-at-rest documentation, access control logs, and vulnerability management records required under Section 314.4.
Status: Supported
Use Case: US banks, credit unions, insurance, mortgage lenders
Documentation: Auditor-ready Safeguards Rule report
FedRAMP & US Federal Workloads
HailBytes ASM ships FedRAMP Moderate baseline mappings (RA-5, CM-7, SI-2, SI-4) and is deployable in AWS GovCloud (US) and Azure Government regions. Suitable for US federal agencies, integrators, and contractors operating under FedRAMP authorization.
Status: Supported (mappings + GovCloud deploy)
Use Case: US federal agencies, defense contractors, integrators
Documentation: FedRAMP Moderate mapping report
NYDFS 23 NYCRR Part 500
New York State Department of Financial Services Cybersecurity Regulation mappings, with coverage for 500.5 (vulnerability assessments) and 500.9 (risk assessment). For US-regulated financial entities in scope of Part 500.
Status: Supported
Use Case: NYS DFS-regulated financial entities
Documentation: Auditor-ready NYDFS 500 report
CIS Controls v8 IG1 & IG2
CIS Critical Security Controls v8 IG1 + IG2 mappings: asset inventory, secure configuration, and continuous vulnerability management. Maintained by the Center for Internet Security, a US-based nonprofit.
Status: Supported
Use Case: Mid-market and enterprise security baselines
Documentation: CIS v8 IG1/IG2 report templates
Latin American Practices
LGPD – Lei Geral de Proteção de Dados (Brazil)
Brazil’s LGPD Article 46 requires “technical and administrative measures capable of protecting personal data from unauthorized access.” HailBytes provides continuous exposure monitoring, encryption evidence, and access-control audit logs for ANPD audit packages. Brazilian deployment regions supported. For Brazilian procurement, AWS Brasil or Microsoft do Brasil acts as reseller of record on the marketplace transaction and invoices in BRL with the Nota Fiscal Eletrônica (see how to buy HailBytes for the full procurement flow).
Status: Supported, encarregado designated
Use Case: Organizations processing Brazilian residents’ data
Documentation: LGPD Article 46 evidence package · posture & procurement detail
LatAm Compliance Mappings
Full control mappings published in the open-source HailBytes LatAm compliance reference
for LGPD, BACEN Resolução 4.893 (Brazil financial), LFPDPPP (Mexico), and
Ley 25.326 (Argentina). Brazilian deployment regions: sa-east-1, brazilsouth.
Status: Published
Coverage: Brazil (LGPD, BACEN), Mexico (LFPDPPP), Argentina (Ley 25.326)
Source: github.com/HailBytes/latam-compliance-mappings
Global & International Practices
ISO 27001 Aligned Practices
Information security management practices following the international ISO/IEC 27001:2022 framework for systematic management of sensitive information. ASM ships Annex A mapping reports for procurement teams that require ISO 27001 evidence today; formal certification is evaluated post-SOC 2 Type 2 attestation.
Status: Framework Aligned
Practices: ISMS policies, risk management, Annex A controls
Note: Formal certification deferred to 2027-Q2 (post-SOC 2 Type 2)
GDPR Compliance (EU/EEA)
HailBytes products support GDPR requirements through data minimization, encryption, access controls, and data subject rights. BYOC deployment ensures customer-tenant data stays in your EU/EEA jurisdiction. GDPR Article 32 mapping report ships with ASM.
Status: Supported, DPO designated
Features: Data sovereignty, right to deletion, encryption
Documentation: GDPR DPA · GDPR posture
Cross-cutting Security Practices
Security Hardening Controls
All HailBytes products are deployed with security hardening controls aligned to industry security benchmarks, following industry-standard configuration best practices for secure infrastructure.
Status: Implemented
Alignment: CIS Benchmarks, NIST hardening guidance
Scope: All cloud deployments
Security Best Practices
HailBytes follows SOC 2 Type II practices first (the US Enterprise standard), with ISO 27001 alignment for international parity. Systematic risk management, security monitoring, and incident response procedures.
Frameworks: SOC 2 (US AICPA), ISO 27001 (international)
Status: Practices implemented
Note: SOC 2 Type 2 direct audit engagement with Jack Moore Group, signature imminent; target attestation 2026-H2 to 2027-Q1
Security Practices
Data Encryption
- TLS 1.2+ for data in transit
- AES-256 disk encryption at rest (Azure Storage / AWS EBS defaults)
- AES-256-GCM application-layer encryption for sensitive credentials (SMTP secrets, API tokens)
- Key management via Azure Key Vault / AWS KMS
Access Controls
- Role-based access control (RBAC)
- Multi-factor authentication (MFA)
- Principle of least privilege
- Regular access reviews and audits
Infrastructure Security
- Private network segmentation
- Web Application Firewall (WAF)
- DDoS protection via cloud providers
- Regular vulnerability scanning
Monitoring & Logging
- 24/7 security monitoring
- Comprehensive audit logging
- Real-time alerting for anomalies
- SIEM integration support
Incident Response
- Documented IR procedures
- 24/7 security operations center
- Regular tabletop exercises
- Customer notification protocols
Vendor Management
- Third-party security assessments
- Regular vendor reviews
- AWS & Azure compliance inheritance
- Subprocessor transparency
Data Privacy & Control
Data Sovereignty
With BYOC deployment on your AWS or Azure infrastructure, your data never leaves your control. Choose your deployment region to meet data residency requirements for US privacy regulations (CCPA, state-level laws), Latin American (LGPD), and global (GDPR) frameworks.
Data Retention & Deletion
Configurable data retention policies allow you to automatically purge old campaign data, scan results, and logs according to your compliance requirements. Support for data subject access requests and right to deletion under CCPA (US), LGPD (Brazil), and GDPR (EU).
Privacy by Design
Our products implement privacy-first architecture with data minimization, purpose limitation, and built-in consent management. All data processing occurs on your infrastructure, ensuring maximum privacy and control.
Security Documentation
Security Whitepaper
Comprehensive overview of our security architecture, practices, and controls for HailBytes SAT and HailBytes ASM.
Download Whitepaper →Security Assessments
Security assessment reports and compliance documentation available to enterprise customers.
Request Access →Penetration Testing
Annual third-party penetration testing reports available to enterprise customers.
Contact Sales →Questions About Compliance?
Our security team is here to help with compliance questionnaires, audits, and technical security documentation.
Contact Security Team →