Skip to main content

Hayaiti / Trust Center

Trust Center.
What we secure, who can see what, and what we’d do if something went wrong.

No certification theater. We’re an early-stage studio — we’ll show you the real controls, the real subprocessors, and the real roadmap to SOC 2 Type II. Every claim on this page is one we can defend.

RoadmapWorking toward SOC 2 Type II — target Q1 2027

01 / Security

How we secure customer data — from request to backup.

Defense in depth from the edge to the database. Every Hayaiti project ships behind the same hardened defaults so no client inherits a per-project regression.

Encryption

TLS 1.3

AES-256-GCM at rest · TLS 1.3 in transit · keys rotated annually.

Project isolation

1 engagement, 1 account

Each client gets a dedicated cloud account, repo, and credential set. No cross-project data colocation.

Backups

Daily · 30-day

Encrypted automated backups · 30-day point-in-time recovery · quarterly restore drills on internal systems.

Pentest

Q1 2027 target

Engaging an external pentest firm before our SOC 2 Type II window. Until then, every release ships with a written threat model and security review.

01

Application security

Every app we ship lands behind the same hardened defaults — no per-project regressions.

  • Strict Content Security Policy with nonces — no inline-script bypasses.
  • Per-IP and per-route rate limiting at the edge (Cloudflare) and in app.
  • Honeypot fields and Turnstile on every public form.
  • Server-side input validation with zod schemas; never trust the client.
  • OWASP ASVS L2 checklist enforced before any production deploy.
02

Data security

Customer data is encrypted, scoped, and observable — both at rest and in transit.

  • AES-256-GCM at rest for databases, backups, and object storage.
  • TLS 1.3 in transit, HSTS preload, certificate transparency monitoring.
  • Secrets in a managed vault; never committed to source control (gitleaks in CI).
  • Quarterly access review · principle of least privilege on every credential.
  • Audit logs retained 365 days · tamper-evident chain of custody.
03

Infrastructure security

We don't reinvent boring problems — we build on platforms that already pass the audits.

  • Vercel (SOC 2 Type II, ISO 27001) for application hosting and edge runtime.
  • Cloudflare (SOC 2 Type II, ISO 27001) for WAF, DDoS shield, bot management.
  • GitHub branch protection · required reviews · signed commits on main.
  • CI security: dependency scan, gitleaks, semgrep on every PR.
  • Production access via SSO + hardware-key MFA; no shared accounts.

02 / Privacy

Your data is yours. We’re the temporary custodians.

Six rights guaranteed by GDPR & CCPA, honored regardless of where you live. The full privacy policy is at /privacy.

01

Right to access

Request a copy of every piece of personal data we hold about you. Delivered as a portable JSON export within 30 days.

02

Right to rectification

Correct anything inaccurate. Most fields are self-serve in your account; the rest take a single email to privacy@hayaiti.com.

03

Right to erasure

Delete your data on request, subject only to retention required by law (e.g. invoices for tax). Hard-delete, not soft-flag.

04

Right to portability

Take your data with you. Export in a structured, machine-readable format on demand — no platform lock-in.

05

Right to object

Opt out of any processing based on legitimate interest, including analytics and product communications.

06

Right to lodge a complaint

If we ever fall short, you can file a complaint with your local data protection authority. We’ll respond fully to any inquiry.

Who can see what

Access matrix

You (the customer)

All data you submit, plus audit logs of every change.

Hayaiti engineering on-call

Production access, time-boxed, MFA-gated, fully logged.

Subprocessors

Only the slice of data needed for their function — see list below.

Hayaiti operations

Billing data only (Stripe-hosted, never card numbers).

Marketing / sales

Aggregated, anonymized usage metrics — no individual records.

Full Privacy Policy Terms of Service privacy@hayaiti.com

03 / Compliance

Where we stand on every framework — no certification theater.

We’re an early-stage studio. Most enterprise certifications are an audit cycle away, not a logo. Here is the honest state of every framework you might care about.

CompliantIn progressPlannedAware

GDPR

Regulation

Compliant

EU General Data Protection Regulation. Lawful basis, data subject rights, breach notification within 72 hours, and a published subprocessors list — all in place.

Privacy Policy

CCPA / CPRA

Regulation

Compliant

California Consumer Privacy Act. Right to know, delete, correct, and opt-out of sale. We do not sell personal information.

Privacy Policy

SOC 2 Type II

Framework

In progress

AICPA Trust Services Criteria for Security, Availability, and Confidentiality. We are operating to SOC 2 controls today; formal audit and report come after the readiness assessment.

Target: Readiness Q3 2026 · Type II report Q1 2027

Email for status update

ISO 27001

Standard

Planned

Information Security Management System. Planned to begin alongside SOC 2 Type II once the first audit cycle completes.

Target: Scoping 2027

HIPAA

Regulation

Aware

U.S. healthcare data. We engineer to HIPAA-aware standards (encryption, access controls, audit logging) and can sign a Business Associate Agreement on a per-engagement basis. We are not certified — HIPAA has no certification body.

Request a BAA

PCI DSS

Standard

Compliant

Payment Card Industry Data Security Standard. We never touch card data — Stripe handles all payment flows as a PCI DSS Level 1 service provider. Our integration uses Stripe Elements / Checkout, so we are out of scope.

Stripe security

“In progress” means we are operating to the framework’s controls today; the formal audit is the open work. “Aware” means we engineer to the standard but the regulation has no certifying body. Anything not on this list, ask us — we’ll tell you the truth.

04 / Subprocessors

Every vendor that touches customer data — listed.

GDPR Article 28 requires us to publish the third parties that process customer data on our behalf. We give you their DPA directly so you can verify upstream — no hidden chains.

9 active vendorsAll DPA-boundNotified on change

Vercel

DPA ↗

Application hosting, edge compute, image optimization.

United States · European Union (configurable per project)

SOC 2 Type IIISO 27001HIPAA-eligible

Cloudflare

DPA ↗

DNS, CDN, WAF, DDoS protection, bot management.

Global edge (300+ POPs)

SOC 2 Type IIISO 27001PCI DSS

Stripe

DPA ↗

Payment processing, billing, payouts, fraud detection.

United States · European Union

PCI DSS Level 1SOC 2 Type IIISO 27001

Resend

DPA ↗

Transactional email delivery (receipts, notifications).

United States

SOC 2 Type II

GitHub

DPA ↗

Source code hosting, CI/CD, issue tracking for client work.

United States

SOC 1 Type IISOC 2 Type IIISO 27001

Linear

DPA ↗

Project management, internal task tracking.

United States

SOC 2 Type II

Slack

DPA ↗

Real-time team and per-client communication channels.

United States

SOC 2 Type IIISO 27001ISO 27017ISO 27018

PostHog

DPA ↗

Product analytics, session replay, feature flags.

United States · European Union (EU Cloud option)

SOC 2 Type IIHIPAA-ready (Enterprise)

Sentry

DPA ↗

Error monitoring, performance regression alerts.

United States · European Union

SOC 2 Type IIISO 27001

Subscribe to subprocessor changes. We notify customers 30 days before adding a new vendor.

Subscribe

05 / Incident response

What we’d do if something went wrong.

A real runbook, not a slogan. Times below are the upper bounds we commit to — written, signed, and auditable.

  1. 01

    Continuous

    Detect

    Alerting from Sentry, Cloudflare, uptime probes, and audit log anomaly detection. Customer reports flagged at security@hayaiti.com.

  2. 02

    Within 4 hours

    Triage

    Severity assigned (SEV-1 → SEV-4), incident commander designated, war-room channel opened, scope of impact assessed.

  3. 03

    Within 12 hours

    Contain

    Affected systems isolated · keys rotated · attacker pathway closed. Evidence preserved for forensics before any rebuild.

  4. 04

    Within 72 hours

    Notify

    Affected customers notified directly per GDPR Article 33. Status page updated. Regulators contacted where required.

  5. 05

    Within 14 days

    Postmortem

    Blameless postmortem authored. Root cause, timeline, and corrective actions published — publicly when the customer permits, otherwise privately to all affected parties.

Status page

Live system status

Real-time uptime for every Hayaiti service. Historical incidents are kept indefinitely with full postmortems linked.

status.hayaiti.com

Notifications

Subscribe to incident updates

Email, RSS, or webhook. Critical incidents always page customer admins directly — no need to subscribe for SEV-1.

security@hayaiti.com

06 / Pentest & bounties

Honest schedule. No certification theater.

We don’t have a fresh pentest report to wave around — and we’re not going to fake one. Here is what we’re doing instead, and when the report will exist.

Scheduled Q3 2026

External pentest

First annual external penetration test against hayaiti.com and admin surfaces. Executive summary published as soon as remediation closes.

Active

Continuous internal review

Every release cycle ships with a written threat model and a security-review checklist (ASVS L2). We eat our own dogfood before we point it at clients.

Q4 2026 (planned)

Bug bounty program

Public program with safe-harbor terms (already published) and a structured payout table. Currently accepting reports under our disclosure policy.

Methodology

OWASP ASVS L2 baseline. Scope: web app, API, identity provider, edge config. External tester credentialed on CREST or OSCP minimum.

Disclosure

Safe-harbor disclosure policy already in force. SLAs published. Researchers credited publicly with consent.

/disclosure

Lab work

Open-source security tooling and write-ups we publish under Hayaiti Labs. Real engineering, no inflated CVE counts.

/labs

07 / Downloads

Trust artifacts, ready to forward to procurement.

Everything we can hand you today — and a clear date for everything we can’t. No fake report links.

AvailableLive page

Privacy Policy

What we collect, why, how long we keep it, and your rights as a data subject.

Open document
AvailableLive page

Terms of Service

Master Service Agreement governing every Hayaiti engagement.

Open document
AvailableLive page

Responsible Disclosure

Safe-harbor disclosure policy and SLA for vulnerability reports.

Open document
AvailableOn this page

Subprocessors List

GDPR Article 28 list of every vendor that processes customer data on our behalf.

Jump to section
On requestPDF on request

Data Processing Agreement

Standard Hayaiti DPA covering controller-processor obligations under GDPR.

Email request
On requestEmail request

Security Questionnaire

Pre-filled CAIQ / SIG-Lite responses for procurement and vendor onboarding.

Email request
On requestAvailable under NDA

SOC 2 Type II Report

Independent audit report against the AICPA Trust Services Criteria.

Email request
Coming soonAvailable Q4 2026

Pentest Summary

Executive summary of the most recent third-party penetration test.

Notify me

Contact

Three inboxes. No forms. No discovery calls.

Founders read every message. Acknowledgement within 2 business days; security reports faster. PGP available on request.

Security reports

security@hayaiti.com

Vulnerabilities, suspected breaches, urgent matters.

Privacy requests

privacy@hayaiti.com

Data subject rights, access, deletion, portability.

Legal & contracts

legal@hayaiti.com

DPAs, BAAs, MSAs, vendor questionnaires.

For PGP-encrypted security reports, see /disclosure.