HailBytes Enterprise Trust Package
Last reviewed: 2026-05-21.
Version: 1.2.
Contact: [email protected] (security and trust questions); [email protected] (DPA, COI, contract); [email protected] (reference call arrangement).
For reviewers, the short version
HailBytes is a small, bootstrapped vendor delivering attack-surface management (HailBytes ASM) and security-awareness training (HailBytes SAT) as customer-deployed products on AWS and Azure Marketplaces. The deployment model is Bring-Your-Own-Cloud: both products run end-to-end inside the customer’s own cloud account. HailBytes operates no shared data plane, no multi-tenant database, and no central scan-result store. This structural fact is the throughline of every document below.
Where this trust package is procurement-grade now: per-release supply-chain evidence (SBOM, SARIF, Cosign signing for ASM), BYOC data-handling posture, BCP/DR plan with customer-vanishing scenarios documented, subprocessor list, LGPD and GDPR analysis, CAIQ-Lite filled honestly.
Where the trust package admits gaps and commits to dates: SOC 2 Type 2 direct audit engagement with Jack Moore Group in late-stage contracting (Type 1 omitted per enterprise procurement feedback), documentation self-prepared; first third-party penetration test scheduled with Astra Pentest (selected); Business Owners Policy and Cyber Liability bound with Hiscox effective 2026-05-21 at baseline limits sized to BYOC exposure, with limits upgrade and standalone Tech E&O endorsement available on procurement-floor demand; LGPD encarregado and GDPR DPO designated (David McHale). See compliance-roadmap.md for the dated commitments.
The package is built to be reused across every enterprise engagement, not tailored to one deal. Deal-specific cover letters are produced separately.
Index of artifacts
Architecture and evidence
| File | What it covers | Primary procurement question answered |
|---|---|---|
byoc-architecture.md | What runs in the customer tenant, what HailBytes operates externally, what data crosses the boundary, the controller/processor framing. | “Where does my data live and who has access to it?” |
security-evidence-package.md | Per-release SBOMs (SPDX + CycloneDX), SARIF scans (Trivy, govulncheck), Cosign keyless signing, the Trust Pack archive. | “What code is actually running, and how do I verify it?” |
subprocessor-list.md | HailBytes’ own subprocessors (§A) and customer-elected integrations (§B) split per-product. | “Who else touches our data?” |
Compliance and regulatory posture
| File | What it covers | Primary procurement question answered |
|---|---|---|
lgpd-compliance.md | LGPD posture (controller/processor, residency, ANPD notification, encarregado) and parallel GDPR section. | “Is this vendor compliant with our regulatory regime?” |
caiq-lite.md | Pre-filled Cloud Security Alliance CAIQ-Lite (35 questions). | “Can you answer our standard vendor security questionnaire?” |
compliance-roadmap.md | 18-month roadmap with named vendors and dated commitments: SOC 2 Type 2 direct with Jack Moore Group, ISO 27001 evaluation, pen test, insurance, DPO/encarregado. | “What’s in flight and when does it land?” |
Continuity, resilience, and risk
| File | What it covers | Primary procurement question answered |
|---|---|---|
bcp-dr-plan.md | Threat scenarios, customer continuity under HailBytes incidents, customer continuity under HailBytes-vanishing scenarios, HailBytes-side recovery procedures, test cadence. | “What happens to us if you have a bad day, or if you go away?” |
bcp-dr-tabletop-exercise.md | Runnable annual tabletop exercise script (supply-chain compromise + compound key-person loss). | “Is the BCP/DR plan exercised, not just documented?” |
| Key-person risk and succession plan | Named succession for CEO/CTO/Security/DPO functions, production access map, incident-responder assignments. Available to active procurement reviewers on request, email [email protected]. | “What’s your key-person risk?” |
insurance-coverage.md | Business Owners Policy and Cyber Liability bound with Hiscox effective 2026-05-21, sized to BYOC exposure. Cyber limits upgrade and standalone Tech E&O endorsement available on procurement-floor demand. | “Are you insured?” |
References and evidence
| File | What it covers | Primary procurement question answered |
|---|---|---|
references-and-evidence.md | Marketplace install metrics, user community characterization, technical reference offers, live-deployment walkthrough offer. | “Show us your existing customers.” |
Co-seller and channel
| File | What it covers | Primary procurement question answered |
|---|---|---|
marketplace-hub-content.md | Co-seller-friendly content for AWS Marketplace, Azure Marketplace, and partner channels. | Channel-partner enablement. |
How this trust package is meant to be used
First-pass procurement review: a reviewer reads
byoc-architecture.mdfirst (10 minutes), thencaiq-lite.md(15 minutes) andcompliance-roadmap.md(5 minutes). That’s enough to triage whether HailBytes meets the procurement bar for the customer’s environment.DPO / legal review:
lgpd-compliance.md+subprocessor-list.md+ the DPA (linked fromlgpd-compliance.md§III; published athailbytes.com/legal/dpaonce finalized).Risk and resilience review:
bcp-dr-plan.md+insurance-coverage.md+ key-person succession plan (available on request to[email protected]).Engineering / security architect review:
security-evidence-package.mdand the actual Trust Pack archive attached to the candidate release on GitHub.References and proof-of-life:
references-and-evidence.md+ the verification-of-claims offer in §7 of the same document.
For procurement teams whose vendor-management process is structured around a specific framework (SOC 2, ISO 27001, NIST CSF, CIS), hailbytes.com/compliance carries the published control mappings; the per-control evidence referenced there lives in this trust package.
How this trust package is maintained
- Each file lives in
hugo-site/content/partners/trust-package/in thehailbytes-staticrepository, served athailbytes.com/partners/trust-package/.... Version history is the audit trail. - The trust package is reviewed quarterly and on any material change. The “Last reviewed” date at the top of each file is updated on review.
- Per-release artifacts (SBOMs, SARIFs, signature attestations, Trust Pack archives) update with every product release;
security-evidence-package.mddescribes where to find them. - An internal operational tracker enumerates open commitments with named owners and target dates. Items leave the tracker only when the underlying commitment is delivered, never silently.
Contact and next steps
If you are reviewing this package as part of an active procurement evaluation, the most efficient next step is usually one of:
- A 30-minute call with HailBytes’ CEO function for commercial scoping and DPA review.
- A 60-minute technical evaluation with HailBytes’ CTO function and the live-deployment walkthrough offered in
references-and-evidence.md§6. - A guided verification-of-claims session in your own sandbox cloud account (
references-and-evidence.md§7).
Email [email protected] or [email protected] to coordinate.