Marketplace and Partner-Hub Content

Audience: Anyone authoring or updating AWS Marketplace product pages, Azure Marketplace product pages, or partner-hub content who wants the trust-package narrative reflected consistently across surfaces.

Purpose: Distill the trust package into co-seller-friendly content that can be lifted into Marketplace listings, partner enablement decks, and channel-partner email outreach without rewriting the underlying claims. Reuse over one-offs.

1. Why enterprise buyers choose HailBytes, one paragraph

HailBytes ASM and HailBytes SAT deploy as customer-owned VMs in your AWS or Azure account. Your scanned-asset data, employee target lists, and campaign results live in your cloud, in your region, under your IAM and your KMS keys, HailBytes never receives them. That structural data-residency posture is what makes the products viable for regulated procurement under LGPD, GDPR, HIPAA, and FedRAMP-aligned reviews without the controller-and-processor analysis getting in the way. The per-release supply-chain evidence (SBOMs, SARIF scans, Sigstore-signed container images, Trust Pack archive on every release) is the day-to-day evidence procurement and security teams use to verify what is actually running.

This paragraph is approved for direct lift into Marketplace long-form descriptions, partner-hub vendor pages, and co-seller outreach. Do not edit beyond cosmetic adjustments without re-confirming with [email protected].

2. Three security highlights, bullet form

For Marketplace “Highlights” sections and partner decks where bullets are the right format:

• Per-release evidence, not annual snapshots. Every release publishes an SBOM (SPDX + CycloneDX), Trivy and govulncheck SARIF scans, and a Cosign-signed Trust Pack archive. Customers can verify what is running in their environment on the timescale they care about, release by release, not year by year. (details)

• BYOC architecture, structural data residency. The full ASM and SAT stacks run inside the customer’s own AWS or Azure account. HailBytes operates no shared data plane. Customer-scanned data, target lists, and audit logs never leave the customer’s tenant. (details)

• Dated compliance roadmap with named vendors. SOC 2 Type 2 direct audit engagement with Jack Moore Group in late-stage contracting, target attestation 2026-H2 to 2027-Q1 (contingent on observation-window completion); first third-party penetration test scheduled with Astra Pentest, report targeted 2027-Q1; Business Owners Policy and Cyber Liability bound with Hiscox effective 2026-05-21 (sized to BYOC exposure), with limits upgrade and standalone Tech E&O endorsement available on procurement-floor demand. (details)

2.1 Listing quick reference

For direct insertion into co-seller outreach or partner-page sidebars:

• HailBytes ASM, primary hailbytes.com/asm/ · AWS Marketplace · Azure Marketplace · demo video.
• HailBytes SAT, primary hailbytes.com/sat/ · AWS Marketplace · Azure Marketplace · demo video.
• HailBytes Support Hub SaaS, is live on Azure Marketplace; the AWS Marketplace listing is in flight (premium support tiers and professional-services bundling).
• Public surfaces, GitHub org · YouTube channel · community Discord · Trust Center · How to buy.

2.2 International procurement and invoicing

For accounts where the buyer sits outside the United States, the marketplace path is also the international-procurement story. The claim chain field reps can lift directly:

• The hyperscaler is the reseller of record. For Brazilian customers, AWS Brasil (Amazon’s CNPJ-registered Brazilian entity for AWS services) or Microsoft do Brasil acts as reseller of record on the marketplace transaction. Equivalent local entities apply for EU, UK, and other regions where the hyperscaler has a local billing entity.
• Local-currency invoicing and tax documents. For Brazilian customers, the hyperscaler invoices in BRL and issues the Brazilian Nota Fiscal Eletrônica. ICMS, ISS, PIS/COFINS, and import-of-services tax route through the hyperscaler’s established Brasil compliance infrastructure, not through HailBytes. FX conversion is handled at the marketplace billing layer.
• Private offers carry multi-year and negotiated terms. Multi-year discounts, customer-specific T&Cs, and ramp schedules ride on the private offer; no separate direct master agreement is required for those terms.
• Direct (non-marketplace) HailBytes LLC contracts remain available where customer procurement prefers a non-marketplace path; standard export-of-services arrangement applies.
• Reference link for field reps: hailbytes.com/how-to-buy/ carries the customer-facing version of this claim chain with a by-region invoicing-entity table.

Use this language verbatim where appropriate; the underlying claim chain is the same one in the customer-facing trust artifacts and the IBM-style procurement questionnaire return, so consistency across surfaces is the goal.

3. CTA, request the full trust package

For procurement-stage prospects who land on a Marketplace page or partner-hub page and want more than the bullets:

Procurement reviewers: the full trust package, including BYOC architecture detail, LGPD and GDPR posture, CAIQ-Lite, BCP/DR plan, subprocessor list, key-person succession, insurance coverage, and the 18-month compliance roadmap, is published at hailbytes.com/partners/trust-package/. For the DPA, COI, or a guided verification-of-claims session in your sandbox account, email [email protected].

4. Co-seller talking points for AWS and Azure field reps

For when an AWS or Azure account team is positioning HailBytes into a regulated enterprise account:

• MACC / EDP eligibility. Both HailBytes ASM and SAT are listed on AWS Marketplace and Azure Marketplace and consume against the customer’s existing AWS Marketplace Annual Spend or Azure Enterprise Discount Program commitment. No new procurement vehicle is required.
• Per-vCPU pricing. Pricing scales with the compute the customer chose to run the product on, not with per-user seat counts. Combined with BYOC, this generally produces 50–85% cost reduction versus per-seat SaaS competitors for organizations beyond a few hundred employees.
• No vendor-side data risk. For accounts where the AWS or Azure rep is sensitive about cross-cloud or third-party-vendor data risk, HailBytes is structurally a no-op on this dimension, there is no third-party data plane to assess.
• Channel margin. Documented in the partner playbook (/partner-docs/MSSP_Channel_Partner_Playbook.md).

5. Channel-partner enablement notes

For MSSPs, VARs, and tech-alliance partners who are presenting HailBytes to their own customers:

• The trust package is white-label-friendly in the sense that the BYOC narrative does not change when the deployment is operated by an MSSP on the customer’s behalf, the customer’s tenant is still the customer’s tenant, the MSSP is just the operator.
• The MSSP-channel-specific positioning is in /partner-docs/MSSP_Channel_Partner_Playbook.md and on hailbytes.com/for-mssps/.
• For pentest-firm partners, see hailbytes.com/for-pentest-firms/.

6. Quotes and testimonials policy

Until enterprise customers provide reference-permission in writing, marketplace pages, decks, and channel collateral should not carry attributed customer quotes. Use the in-paragraph claims in §1 and §2; do not invent quotes or use composite-profile testimonials. See references-and-evidence.md §8 for the policy rationale.

7. Maintenance

• This document is updated when the public-facing trust-package URLs change, when new highlights are added (e.g., SAT Cosign signing parity in 2026-Q3), or when major reference customers land.
• Marketplace and partner-hub copy that quotes this document should be re-synced on each quarterly trust-package review.

Cross-references: references-and-evidence.md §8 for the no-fabricated-quotes policy.