Insurance Coverage Statement

Last reviewed: 2026-05-21. Owner: David McHale (CEO function).

Audience: Procurement reviewers, contract administrators, customer risk-management teams.

Purpose: State current and in-progress insurance coverage. HailBytes’ coverage strategy is sized to its actual risk surface, which the BYOC architecture materially shrinks. This document explains both the limits and the rationale, so procurement reviewers can evaluate appropriateness rather than reflexively compare against multi-tenant-SaaS-vendor benchmarks.

1. Coverage philosophy and the BYOC adjustment

The single biggest driver of cyber-liability premium for a security vendor is the size of the data-loss exposure if the vendor itself is compromised. For a multi-tenant SaaS vendor, that exposure is “every customer’s data in one breach”, and premium pricing reflects it.

HailBytes’ BYOC architecture (byoc-architecture.md) materially changes this calculation:

HailBytes does not hold customer-scanned data, customer employee lists, customer phishing-campaign results, or customer audit logs. A breach of HailBytes’ own infrastructure does not produce a multi-tenant data-loss event.
A single-customer compromise is structurally constrained to that customer’s tenant; HailBytes is not the single-point-of-compromise target.
HailBytes’ realistic incident exposures are: support-ticket contents (limited PII volume), marketing-list contacts (low sensitivity), and Marketplace settlement metadata (commercial, not personal-sensitive at scale).

The coverage levels in §2 are sized to this actual surface, not to a comparable multi-tenant-SaaS-vendor benchmark. A procurement reviewer comparing HailBytes’ limits to a SaaS competitor’s limits should weigh the structural data-residency posture as the offsetting factor.

For customers whose own procurement floors require higher named limits than HailBytes carries by default, HailBytes will obtain per-customer endorsements (additional-insured + bumped policy limit for the duration of the contract) at the customer’s incremental premium cost. This is offered as a standard contract negotiation item.

2. Coverage status

HailBytes bound coverage with Hiscox on 2026-05-21. Two policies, effective immediately through 2026-05-21-2027, with automatic 12-month renewal:

Business Owners Policy (General Liability + Property): $1,000,000 occurrence / $1,000,000 aggregate.
Cyber Liability: $250,000 occurrence / $250,000 aggregate, with Media Liability rider.

Certificates of Insurance and ACORD certificates are available on request from [email protected]. Details and the per-customer endorsement pathway for higher procurement floors are in §3.

Broker history

HailBytes initially pursued a multi-policy package through Vouch in May 2026 (target effective 2026-05-15) at a $1M / $1M / $1M baseline across General Liability, Technology Errors & Omissions, and Cyber Liability. Vouch’s response cycle was slower than what the enterprise pipeline could accommodate, and HailBytes bound through Hiscox on 2026-05-21 at the limits stated above. Limits upgrades and an additional standalone Technology Errors & Omissions endorsement remain available routes for procurement floors that require them; see §3 for the upgrade pathway.

3. Bound coverage, Hiscox, effective 2026-05-21 through 2026-05-21-2027

Carrier: Hiscox (hiscox.com). Both policies bound 2026-05-21 with automatic 12-month renewal.

3.1 Business Owners Policy (General Liability + Property)

Policy number: P106.651.174.
Limit: $1,000,000 per occurrence / $1,000,000 aggregate.
Deductible: $0.
Endorsement: Blanket Additional Insured included.
Status: Bound 2026-05-21.

For enterprise customers requiring named-additional-insured status on the BOP, HailBytes will add the customer at the customer’s request. The blanket additional-insured endorsement covers most contractual requirements without a per-customer filing.

3.2 Cyber Liability

Policy number: P106.651.173.
Limit: $250,000 per occurrence / $250,000 aggregate.
Deductible: $10,000.
Rider: Media Liability.
Status: Bound 2026-05-21.

The Hiscox Cyber product covers third-party network security and privacy liability, regulatory defense costs, and the first-party perils (data restoration, cyber extortion, business interruption). The baseline limit is sized per §1 to HailBytes’ actual cyber-incident exposure under BYOC delivery (no multi-tenant data aggregate). For procurement floors above the $250,000 baseline, see §3.4 for the upgrade pathway.

3.3 Technology Errors & Omissions

Status: Under evaluation as a standalone endorsement.
Pathway: Available on procurement-floor demand; binding handled directly with Hiscox or through a complementary carrier when a customer contract requires named Tech E&O at a specific limit.

The Hiscox Cyber policy in §3.2 covers third-party network security and privacy liability for security incidents. Standalone Technology Errors & Omissions, covering errors and omissions in services rendered as distinct from cyber-incident scenarios, is not currently bound. The BYOC delivery model materially limits HailBytes’ realized E&O exposure (the customer operates the service in their own tenant), and the Cyber policy covers the cyber-incident pathway; the additional Tech E&O endorsement is treated as a per-customer procurement option rather than a baseline carry.

For customers whose procurement policy requires named Tech E&O coverage at a specific limit, HailBytes will obtain the endorsement and reflect it in the COI delivered with the signed agreement. Premium is passed through at cost.

3.4 Procurement-floor upgrade pathway

For customers whose procurement policy requires named limits above the §3.1–§3.2 baseline (commonly $2M Tech E&O / $5M Cyber for IBM-class enterprises), HailBytes will negotiate a per-customer endorsement or a limits upgrade on the bound Hiscox Cyber policy. The premium delta is passed through transparently in the contract. Lead time from contract execution to bound upgraded COI is typically one calendar week.

This pathway avoids carrying excess coverage broadly to satisfy a narrow set of procurement floors, while making the option available to any customer that requires it.

4. Additional coverage under consideration

Directors & Officers (D&O): typically deferred until Series A or first institutional capital event; not currently required by any enterprise contract under negotiation.
Workers’ Compensation: in place per applicable jurisdiction(s); details available on request.
Employment Practices Liability: in place where required.

5. Customer name on COI

For named enterprise customers, HailBytes will list the customer as an “additional insured” on the bound Business Owners Policy at the customer’s request. The blanket-additional-insured endorsement in §3.1 covers most contractual additional-insured requirements without a per-customer filing. For named-additional-insured status on the Cyber policy, HailBytes will request the endorsement from Hiscox on the customer’s behalf and confirm acceptance on a per-policy basis.

6. Per-customer endorsement and limits upgrades

See §3.4 for the procurement-floor upgrade pathway: limits upgrades on the bound Hiscox Cyber policy, named Tech E&O endorsement, and any other coverage extensions a customer’s procurement policy requires. Premium delta is passed through transparently and reflected in the COI delivered with the signed agreement.

7. Notification on policy lapse

HailBytes commits to notifying the customer’s named contracts contact within 5 business days of any non-renewal, cancellation, or material reduction in coverage for any policy named on the COI provided to the customer.

8. Document lifecycle

COIs are reissued annually on policy renewal; superseded COIs are retained in the contracts repository.
This document is updated within 5 business days of any change in coverage. Version history is the audit trail.

Cross-references: compliance-roadmap.md §6 for the bind-date commitment in §3; byoc-architecture.md for the structural argument behind §1; key-person-succession.md §1 for the CEO function (David McHale) that owns this document.