HailBytes Trust Center
Procurement-grade trust artifacts for HailBytes ASM and HailBytes SAT. Built on the structural fact that both products run inside your own cloud account, not ours.
For procurement reviewers: HailBytes is a small, bootstrapped vendor delivering BYOC-architected security products. The full trust package below is built to answer enterprise procurement diligence honestly — including where compliance milestones are in flight rather than complete. SOC 2 Type 1 is in flight with self-prepared documentation; first third-party penetration test is scheduled with Astra Pentest; LGPD encarregado and GDPR DPO are designated (David McHale). The detailed roadmap is below.
What HailBytes has today
The structural security posture and completed trust artifacts available to any procurement reviewer now.
BYOC data residency
Both products run end-to-end inside the customer's own AWS or Azure account. HailBytes holds no customer-scanned data, employee lists, or campaign results — no shared data plane exists to breach. Verifiable by egress-filtering a fresh deployment.
✓ Complete · architecture detail →
Per-release supply-chain evidence
Every tagged release ships SBOM (SPDX + CycloneDX), Trivy and govulncheck SARIF scans,
Cosign-signed container images (ASM), and a Trust Pack archive with a verifiable
MANIFEST.json. Available on GitHub Releases.
✓ Complete per release · evidence detail →
LGPD & GDPR posture
Controller/processor analysis, data-residency mechanics, cross-border transfer framing, and DPO/encarregado designation (David McHale) are documented and published. DPA available for counter-signature.
✓ Documented · posture detail →
CAIQ-Lite (pre-filled)
Cloud Security Alliance CAIQ-Lite answered across all 37 questions. 29 of 37 answered "Yes" with evidence; the remaining 8 are clearly scoped to the BYOC model or noted as in-flight. Ready for vendor-security-questionnaire workflows.
✓ Complete · CAIQ-Lite →
BCP/DR plan & tabletop
Documented threat scenarios including HailBytes-vanishing continuity (customers keep running; images stay pullable; source is MIT-licensed). Runnable annual tabletop exercise script published alongside the plan.
✓ Documented · BCP/DR plan →
Subprocessor list
Full enumeration of HailBytes' own subprocessors (§A) and customer-elected integrations (§B), split by product. Reviewed quarterly; 30-day advance notice of any §A change. Subscribe to change notifications at subprocessors@hailbytes.com.
✓ Published · subprocessor list →
What’s in flight
Honest status on compliance milestones, with named vendors and dated targets throughout. The full roadmap is at compliance-roadmap →
SOC 2 Type 1
Security Trust Services Criterion, scope covers HailBytes ASM and HailBytes SAT. Documentation prepared in-house; auditor selection in progress; kickoff targeted 2026-Q4.
Status: Readiness underway · Target attestation: 2027-02-14
SOC 2 Type 2
Observation window begins on Type 1 issuance. Same auditor as Type 1.
Status: Planned · Target report: 2027-Q4
Penetration testing
Astra Pentest (CREST-certified, hybrid automated + manual VAPT) selected for HailBytes ASM and HailBytes SAT as separate targets. Booking targeted 2026-Q4. Annual cadence thereafter.
Vendor: Astra Pentest · First report: 2027-Q1
Insurance
General Liability, Tech E&O, and Cyber Liability at $1M each through Vouch, sized to actual BYOC exposure. Per-customer endorsement available for higher procurement floors.
Status: Active broker bind cycle · COI on request: contracts@hailbytes.com
LGPD/GDPR privacy page
DPO/encarregado designation (David McHale) is published here. Public-page publication
on hailbytes.com/privacy with the contact details required by LGPD Art. 41
§1 and GDPR Art. 37(7) is in progress.
Status: In progress · Target: 2026-Q3
ISO 27001 evaluation
Formal evaluation of ISO 27001 certification versus SOC 2 continuation scheduled after SOC 2 Type 1 attestation. Decision and timeline to be updated in the compliance roadmap at that point.
Status: Deferred to post-SOC2-T1 · Decision: 2027-Q2
Why BYOC changes the security posture
HailBytes ASM and HailBytes SAT are delivered as customer-deployed VM images on AWS Marketplace and Azure Marketplace. The full product stack — web app, scanner workers, datastore, audit log — runs end-to-end inside your own cloud account. Customer-scanned data, employee target lists, phishing-simulation results, and audit logs never leave your tenant.
Structurally:
- HailBytes is neither controller nor processor of customer-scanned and campaign data under LGPD and GDPR — we never receive it.
- A HailBytes incident does not produce a multi-tenant data-loss event because there is no multi-tenant data plane.
- Data residency is whichever cloud region you deploy in. Brazilian deployment?
sa-east-1orbrazilsouth. EU deployment? Any EU/EEA region your account can reach. - If HailBytes ceased to exist tomorrow, your deployment keeps running. Container images stay pullable; the source is open-source under MIT-style licensing; IaC is reproducible.
Read the full architecture statement: BYOC architecture →
Per-release supply-chain evidence
Every tagged release ships with verifiable supply-chain artifacts. For a customer-deployed product, per-release evidence is the day-to-day proof of what's actually running — not an annual snapshot of HailBytes' office controls.
SBOM (every release)
Software Bill of Materials generated with Anchore Syft. SPDX 2.3 and CycloneDX 1.5 formats for HailBytes ASM; CycloneDX for HailBytes SAT.
SARIF vulnerability scans
Aqua Trivy on container images for both products; govulncheck
on Go binaries for HailBytes SAT. SARIF 2.1.0 output, uploaded to the GitHub Security tab.
Cosign keyless signing
HailBytes ASM container images signed via Sigstore keyless flow with GitHub Actions OIDC. No human-held signing key. SAT signing parity scheduled 2026-Q3.
Trust Pack archive
One downloadable ZIP per release aggregating SBOMs, SARIFs, signing references, UAT
artifacts, and a browseable index.html + machine-readable MANIFEST.json.
Attached to GitHub Releases.
Reproducible builds
Packer 1.11.2 with pinned plugin versions. Docker-Compose with pinned dependency versions (PostgreSQL 16.13, Redis 7.4.8, PgBouncer 1.24.1). Build from source if you want to.
Verify it yourself
The cosign verify command for each release is included in the Trust Pack
index.html. Egress-restrict a fresh deployment to confirm what flows out.
Read the full evidence statement: Per-release security evidence →
Trust package documents
Procurement-grade documents. Each is built to answer a specific procurement question.
Architecture & evidence
Regulatory posture
Continuity & risk
- BCP/DR plan
- BCP/DR tabletop exercise (Lost Rabbit Digital)
- Key-person succession plan — available on request to security@hailbytes.com
- Insurance coverage
- Status page
Subprocessors
Third parties HailBytes engages directly that touch operational data. Customer-elected integrations (Slack, SIEM destinations, threat-intel sources you configure) flow directly from your deployment and are not HailBytes' subprocessors.
- GitHub, Inc. (Microsoft): source-code hosting, CI/CD, container registry, release distribution. US.
- Microsoft Azure: Marketplace listing, Packer build VMs, Marketplace settlement metadata. East US 2 primary.
- Amazon Web Services: Marketplace listing, Packer build VMs, Marketplace settlement metadata. us-east-1 primary.
- Cloudflare, Inc.: marketing-site CDN/WAF, DNS, and the runtime host for HailBytes' own Support Hub (Workers + Pages + KV/D1). Global edge.
- Sigstore (Linux Foundation): container-image signing for ASM (Fulcio CA, Rekor log). US public infrastructure.
- Stripe, Inc.: direct-checkout billing where used outside cloud Marketplaces. US/EU.
- Anthropic, PBC: internal LLM API use (test grading, documentation). No customer-tenant data. US.
- Google LLC (Google Workspace): internal email, calendar, marketing email distribution, support-thread email contents. US.
- Boden McHale (engineering services): contractor engagement under NDA + IP assignment; no default access to customer deployments. US.
Full list with data categories, locations, and contract status: Subprocessor list →
Honest framing
HailBytes does not yet hold a SOC 2 attestation. The first third-party penetration test report is targeted for 2027-Q1. The DPO designation is published here before public-page publication on the privacy page. The first enterprise marquee references will, with the customer's permission, be added once contracts close.
We name what's done and what isn't. Every dated commitment in the compliance roadmap is the position we want to be measured against.
For a guided walkthrough — including verifying the BYOC claims in your own sandbox account,
a live cosign verify of the published image signatures, or a tour of HailBytes' internal
deployment of its own products — email security@hailbytes.com.
Contact
Security questions
Vulnerability disclosure, security-architecture questions, trust package questions.
Contracts & DPA
Master agreement, DPA, certificate of insurance, named-additional-insured endorsement.
Data protection
DPO / encarregado: David McHale. LGPD, GDPR, data-subject-rights requests.