Security

Our Commitment

At Hippoc, we understand that you're trusting us with your most valuable asset: your code and intellectual property. We take this responsibility seriously and have implemented enterprise-grade security measures to protect your data.

Encryption

Data at Rest

• AES-256 encryption for all stored data
• Encrypted database backups
• Separate encryption keys per customer
• Hardware Security Modules (HSM) for key management

Data in Transit

• TLS 1.3 for all network communications
• Perfect Forward Secrecy (PFS)
• Certificate pinning for API clients
• Secure WebSocket connections

Infrastructure Security

Cloud Infrastructure

• Hosted on AWS with SOC 2 Type II compliance
• Multi-AZ deployment for high availability
• Automated backups with point-in-time recovery
• DDoS protection via AWS Shield
• Web Application Firewall (WAF) enabled

Network Security

• Private VPC with network isolation
• Security groups and network ACLs
• No direct database access from internet
• Bastion hosts for administrative access

Application Security

Authentication & Authorization

• OAuth 2.0 and OpenID Connect
• Multi-factor authentication (MFA) available
• Role-based access control (RBAC)
• Session management with automatic timeout
• API key rotation and expiration

Secure Development

• Regular security code reviews
• Automated vulnerability scanning
• Dependency security monitoring
• Secure CI/CD pipeline
• Container image scanning

Compliance & Certifications

Monitoring & Incident Response

24/7 Monitoring

• Real-time security event monitoring
• Intrusion detection systems (IDS)
• Automated anomaly detection
• Security Information and Event Management (SIEM)
• Log aggregation and analysis

Incident Response

We maintain a comprehensive incident response plan:

• Dedicated security team on-call 24/7
• Documented incident response procedures
• Customer notification within 24 hours of confirmed breach
• Post-incident analysis and remediation
• Coordination with law enforcement when necessary

Access Controls

Employee Access

• Principle of least privilege
• Background checks for all employees
• Security awareness training
• Access reviews and audits
• Immediate access revocation on termination

Physical Security

• AWS data centers with 24/7 security
• Biometric access controls
• Video surveillance
• Environmental controls and monitoring

Data Privacy

Data Isolation

Each customer's data is logically isolated:

• Separate encryption keys per customer
• Database-level row security
• API-level tenant isolation
• No cross-customer data sharing

Data Retention

• Customer-controlled data retention policies
• Secure data deletion within 30 days of account closure
• Backup retention for disaster recovery
• Compliance with data residency requirements

Audits & Testing

• Annual SOC 2 Type II audits
• Quarterly penetration testing by third-party firms
• Regular vulnerability assessments
• Bug bounty program for responsible disclosure
• Security audit logs retained for 1 year

Your Responsibilities

While we provide robust security, you play a crucial role:

• Use strong, unique passwords
• Enable multi-factor authentication
• Keep your API keys secure
• Review team member access regularly
• Report suspicious activity immediately
• Keep your local environment secure

Responsible Disclosure

If you discover a security vulnerability, please report it to us responsibly:

Questions?

For security questions or concerns, contact our security team:
security@hippoc.io