HailBytes Trust Center

Procurement-grade trust artifacts for HailBytes ASM and HailBytes SAT. Built by a US-headquartered vendor on the structural fact that both products run inside your own cloud account, not ours.

For US Enterprise procurement reviewers: HailBytes is a US-headquartered security software vendor providing BYOC-architected products with a trust package built for US Enterprise procurement diligence. SOC 2 Type 2 direct audit engagement with Jack Moore Group is in late-stage contracting (Type 1 omitted per enterprise customer feedback); attestation targeted 2026-H2 to 2027-Q1 contingent on observation-window completion. ASM publishes auditor-ready compliance report templates for the eight North American frameworks US procurement teams expect (SOC 2 CC7.x, NIST CSF 2.0, HIPAA, GLBA, PCI DSS 4.0, FedRAMP Moderate, NYDFS 23 NYCRR 500, CIS Controls v8). The first third-party penetration test is scheduled with Astra Pentest. Mappings for Latin American frameworks (LGPD, BACEN 4.893, LFPDPPP, Ley 25.326) and global frameworks (ISO/IEC 27001:2022, GDPR Article 32) are also published. LGPD encarregado and GDPR DPO responsibilities are designated to David McHale.

What HailBytes has today

Structural security posture and completed trust artifacts available to procurement reviewers today, grouped by whether each item is about HailBytes the company or about what HailBytes products produce for your audits.

Vendor posture — about HailBytes the company

CAIQ-Lite (pre-filled)

Cloud Security Alliance CAIQ-Lite answered across all 37 questions. 29 of 37 are answered "Yes" with evidence; the remaining 8 are clearly scoped to the BYOC model or noted as in progress. Ready for vendor security questionnaire workflows.

✓ Complete · CAIQ-Lite →

BCP/DR plan & tabletop

Documented threat scenarios including HailBytes-vanishing continuity (customers keep running; images remain pullable; source is MIT-licensed). A runnable annual tabletop exercise script is published alongside the plan.

✓ Documented · BCP/DR plan →

Subprocessor list

Full enumeration of HailBytes' own subprocessors (§A) and customer-elected integrations (§B), split by product. Reviewed quarterly, with 30-day advance notice of any §A change. Subscribe to change notifications at [email protected].

✓ Published · subprocessor list →

Product capability — what HailBytes products produce for your audits

BYOC data residency

Both products run end-to-end inside the customer's own AWS or Azure account. HailBytes holds no customer-scanned data, employee lists, or campaign results, and there is no shared data plane to breach. Reviewers can verify this by egress-filtering a fresh deployment.

✓ Complete · architecture detail →

Per-release supply-chain evidence

Every tagged release ships SBOM (SPDX + CycloneDX), Trivy and govulncheck SARIF scans, Cosign-signed container images for ASM, and a Trust Pack archive with a verifiable MANIFEST.json. These artifacts are published with GitHub Releases.

✓ Complete per release · evidence detail →

Auditor-ready compliance reports

ASM publishes auditor-ready PDF report templates for the eight North American frameworks US Enterprise procurement teams expect (SOC 2 Type II CC7.x, NIST CSF 2.0, HIPAA, GLBA, PCI DSS 4.0, FedRAMP Moderate, NYDFS 23 NYCRR 500, CIS Controls v8) plus LGPD, ISO 27001, and GDPR (11 total). Latin American mappings (BACEN, LFPDPPP, Ley 25.326) published in OSS. These mappings are about the product; HailBytes' own attestations are separate (vendor milestones ↓).

✓ Mappings published · framework details → · by region ↓

Phishing credential capture safeguards

When a SAT phishing simulation captures a password, it is never stored in plaintext. The default redact-at-write mode replaces the credential with a length-only sentinel (e.g. [REDACTED:8]) the moment it is received. Teams that need credentials for IR forensics can enable opt-in AES-256-GCM encryption-at-rest, recoverable only under admin authorization, and the landing-page banner shows the active storage policy so operators can confirm how data was handled.

✓ Complete · encryption detail →

Product capability: ASM compliance report coverage (by region)

What HailBytes ASM produces for your audits — mappings and PDF report templates ASM ships, organized by region. These are product outputs, not attestations HailBytes itself holds. For HailBytes' own vendor-side attestations, see vendor milestones ↓.

North American frameworks

ASM ships auditor-ready PDF report templates mapped to:

  • SOC 2 Type II (CC7.x system monitoring & vulnerability identification)
  • NIST CSF 2.0 (Identify, Protect, Detect functions)
  • HIPAA Security Rule (164.308 & 164.312 safeguards)
  • GLBA Safeguards Rule (Section 314.4)
  • PCI DSS 4.0 (Req. 11.3 external scans, 6.3 vulnerability ranking, 12.6 awareness)
  • FedRAMP Moderate (RA-5, CM-7, SI-2, SI-4 controls)
  • NYDFS 23 NYCRR Part 500 (500.5, 500.9)
  • CIS Controls v8 IG1 & IG2

✓ Mappings published · SOC 2 Type 2 direct in flight (Jack Moore Group, target 2026-H2 to 2027-Q1) · framework details →

Latin American frameworks

Controller and processor analysis, data-residency mechanics, cross-border transfer framing, and encarregado/DPO designation are documented for the Brazilian and broader LatAm markets. Full control mappings published in the open-source LatAm reference:

  • LGPD (Brazil, Lei nº 13.709/2018), Art. 46 security measures, ANPD audit-ready
  • BACEN Resolução 4.893 (Brazilian financial sector cybersecurity policy)
  • LFPDPPP (Mexico, Ley Federal de Protección de Datos Personales)
  • Ley 25.326 (Argentina personal data protection)

✓ Documented · posture detail → · LatAm mappings (GitHub) →

Global & international frameworks

ASM ships report mappings for the major globally-recognized standards. Formal ISO 27001 certification is evaluated post-SOC 2 Type 2 attestation; GDPR DPO is designated to David McHale.

  • ISO/IEC 27001:2022 (Annex A controls A.5.7, A.8.8, A.8.9, A.8.16)
  • GDPR Article 32 (security of processing; EU/EEA)

✓ Mappings published · ISO 27001 evaluation 2027-Q2 · framework details →

Vendor posture: HailBytes' own compliance milestones in flight

Milestones for HailBytes the company — SOC 2 attestation, third-party pentest, insurance, DPO publication. Ordered North American → Latin American → global, with named vendors and dated targets throughout. These are about HailBytes as a supplier, not about what our products produce. Full roadmap at compliance roadmap →

North American milestones

SOC 2 Type 2 direct (US AICPA)

AICPA Security Trust Services Criterion, the primary US Enterprise procurement attestation. Scope covers HailBytes ASM and HailBytes SAT. Documentation prepared in-house. Auditor: Jack Moore Group, engagement in late-stage contracting. Type 1 was omitted per enterprise customer procurement feedback; Type 2 is the required deliverable.

Status: Engagement signature imminent · Target attestation: 2026-H2 to 2027-Q1 (contingent on observation-window completion)

CPA Bridge Letter

A CPA bridge letter from Jack Moore Group, covering the gap between engagement execution and attestation issuance, can be requested for mid-stage rollouts that need contractual evidence before formal attestation lands. Bridge letters are the parallel-track unblock for procurement floors that gate on SOC 2 deliverables.

Status: Available on engagement execution · Channel: [email protected]

Penetration testing

Astra Pentest (CREST-certified, hybrid automated and manual VAPT) is selected for HailBytes ASM and HailBytes SAT as separate targets. Reports map to SOC 2, NIST, PCI DSS, ISO 27001, and GDPR. Booking is targeted for 2026-Q4, with an annual cadence thereafter.

Vendor: Astra Pentest · First report: 2027-Q1

Insurance (US carrier)

Business Owners Policy ($1M GL + property) and Cyber Liability ($250K + Media Liability rider) bound with Hiscox, a US admitted carrier, sized to actual BYOC exposure. Cyber limits upgrade and standalone Tech E&O endorsement available on procurement-floor demand.

Status: Bound effective 2026-05-21 · COI on request: [email protected]

Latin American milestones

LGPD encarregado public page

Encarregado designation (David McHale) is published in this Trust Center. Public-page publication on hailbytes.com/privacy with the contact details required by LGPD Art. 41 §1º is in progress.

Status: In progress · Target: 2026-Q3

Global & international milestones

GDPR DPO public page (EU)

DPO designation (David McHale) is published in this Trust Center. Public-page publication on hailbytes.com/privacy with the contact details required by GDPR Art. 37(7) is in progress, alongside the LGPD publication.

Status: In progress · Target: 2026-Q3

ISO 27001 evaluation

Formal evaluation of ISO/IEC 27001:2022 certification versus SOC 2 continuation is scheduled after SOC 2 Type 2 attestation. For an English-speaking US/EU customer base, SOC 2 is the more frequently requested attestation; ISO 27001 will be revisited once SOC 2 Type 2 lands.

Status: Deferred to post-SOC2-T2 · Decision: 2027-Q2

How customers buy: marketplace as the primary commercial vehicle

AWS Marketplace and Azure Marketplace are the primary procurement vehicles for HailBytes. The hyperscaler is the reseller of record, which simplifies international tax, FX, and invoicing for customers buying from outside the United States.

HailBytes ASM is published on AWS Marketplace and Azure Marketplace today. The HailBytes Support Hub SaaS, which covers premium support tiers and professional-services bundling, is live on Azure Marketplace; the AWS Marketplace listing is in flight.

Private offers carry the procurement contract

Private offers on AWS Marketplace and Azure Marketplace deliver negotiated pricing, multi-year commitments, and customer-specific terms while keeping the hyperscaler's billing pipeline intact. Multi-year discounts work via private offer. Professional services bundle into the ASM private offer, or can be purchased separately via the Support Hub SaaS listing (Azure Marketplace today; AWS Marketplace listing in flight).

International invoicing routes through the hyperscaler

For Brazilian customers, AWS Brasil (Amazon's CNPJ-registered Brazilian entity for AWS services) or Microsoft do Brasil acts as reseller of record. The hyperscaler invoices in BRL and issues the Brazilian Nota Fiscal Eletrônica. ICMS, ISS, PIS/COFINS, import-of-services tax, and FX conversion route through the hyperscaler's established Brasil compliance infrastructure, not through HailBytes. Equivalent local-entity invoicing applies in other countries the hyperscaler supports.

Marketplace spend counts toward existing commitments

Charges on AWS Marketplace and Azure Marketplace count against AWS Marketplace Annual Spend and Azure MACC commitments, so the purchase typically draws down an existing committed-spend line rather than adding a new procurement vehicle. This is why most enterprise procurement teams prefer the marketplace path even when a direct contract is available.

Direct contracts remain available

Where customer procurement prefers a non-marketplace path, direct HailBytes LLC contracts are available under the standard export-of-services arrangement. HailBytes will quote a fixed local-currency-equivalent for the contract term where appropriate, locked at execution with revaluation at renewal. For most international customers the marketplace path produces less friction on tax and FX, which is why we lead with it.

Full procurement guide (by-region invoicing-entity table, private-offer mechanics, direct-contract alternative): how to buy HailBytes →. Brazilian-specific LGPD posture and ANPD cross-border framing: LGPD and GDPR posture →. For private-offer construction or DPA counter-signature: [email protected].

Why BYOC changes the security posture

HailBytes ASM and HailBytes SAT are delivered as customer-deployed VM images on AWS Marketplace and Azure Marketplace. The full product stack, including the web app, scanner workers, datastore, and audit log, runs end-to-end inside your own cloud account. Customer-scanned data, employee target lists, phishing-simulation results, and audit logs never leave your tenant.

Structurally:

  • A HailBytes incident does not produce a multi-tenant data-loss event because there is no multi-tenant data plane, a structural property US Enterprise security architects validate during procurement diligence.
  • Data residency is whichever cloud region you deploy in. US deployments: any US AWS region (us-east-1, us-east-2, us-west-1, us-west-2, etc.) or Azure region (eastus, eastus2, westus2, etc.), including AWS GovCloud (US) and Azure Government for federal workloads. Latin American deployments: sa-east-1 or brazilsouth. EU deployments: any EU/EEA region your account can reach.
  • HailBytes is neither controller nor processor of customer-scanned and campaign data under LGPD or GDPR because HailBytes never receives that data; the parallel CCPA analysis treats HailBytes as a non-collector for the same structural reason.
  • If HailBytes ceased to exist tomorrow, your deployment keeps running. Container images stay pullable; the source is open-source under MIT-style licensing; IaC is reproducible.

Read the full architecture statement: BYOC architecture →

Per-release supply-chain evidence

Every tagged release ships with verifiable supply-chain artifacts. For a customer-deployed product, per-release evidence is the day-to-day proof of what is actually running, not an annual snapshot of HailBytes' office controls.

SBOM (every release)

Software Bill of Materials generated with Anchore Syft. SPDX 2.3 and CycloneDX 1.5 formats for HailBytes ASM; CycloneDX for HailBytes SAT.

SARIF vulnerability scans

Aqua Trivy on container images for both products; govulncheck on Go binaries for HailBytes SAT. SARIF 2.1.0 output, uploaded to the GitHub Security tab.

Cosign keyless signing

HailBytes ASM container images signed via Sigstore keyless flow with GitHub Actions OIDC. No human-held signing key. SAT signing parity scheduled 2026-Q3.

Trust Pack archive

One downloadable ZIP per release aggregating SBOMs, SARIFs, signing references, UAT artifacts, and a browseable index.html + machine-readable MANIFEST.json. Attached to GitHub Releases.

Reproducible builds

Packer 1.11.2 with pinned plugin versions. Docker Compose with pinned dependency versions (PostgreSQL 16.13, Redis 7.4.8, PgBouncer 1.24.1). Build from source if needed.

Verify it yourself

The cosign verify command for each release is included in the Trust Pack index.html. Egress-restrict a fresh deployment to confirm the outbound traffic.

Read the full evidence statement: Per-release security evidence →

Supply chain evidence archive

HailBytes maintains a continuously updated archive of supply-chain security artifacts for every released build of HailBytes ASM and HailBytes SAT, retained under a published retention policy.

The archive includes:

  • Software Bills of Materials in SPDX 2.3 and CycloneDX 1.5 formats for HailBytes ASM, and CycloneDX 1.5 for HailBytes SAT.
  • Vulnerability scan results from Aqua Trivy on container images for both products, and govulncheck on Go binaries for HailBytes SAT, in SARIF 2.1.0.
  • Sigstore / cosign signature bundles for HailBytes ASM container images, signed keylessly under HailBytes' GitHub Actions OIDC identity and recorded in the public Rekor transparency log. HailBytes SAT signing parity is scheduled for 2026-Q3.

Archived artifacts are retained for a minimum of seven years in accordance with the Retention Policy, which aligns with SOC 2 Type II evidence-retention expectations and HailBytes' enterprise contractual commitments.

Requesting archive access

The evidence archive is hosted privately at github.com/hailbytes/compliance-evidence. Access is granted to enterprise customers and active prospects under NDA.

  1. Email [email protected] from a corporate domain matching your organization's primary domain of record. Include:
    • Legal entity name and the procurement contact's title.
    • The HailBytes product(s) under review.
    • The artifact classes required (SBOM, vulnerability scans, signatures).
    • An executed NDA reference, or a request for HailBytes' standard MNDA.
  2. The HailBytes Trust team triages requests within 2 business days.
  3. Approved requesters receive a time-bounded read-only GitHub collaborator invitation (default 30 days, renewable on request) to hailbytes/compliance-evidence.
  4. Buyers unable to consume GitHub directly may instead request a signed tarball of the relevant slice of the archive, delivered through this Trust Center under the same NDA terms.

Signed artifacts in the archive can be cryptographically verified against HailBytes' Sigstore OIDC identity. The Artifact Signing Policy documents the exact cosign invocations.

Vulnerability response

HailBytes' published response and remediation service-level agreements for security issues are defined in the Vulnerability Disclosure SLA. Critical findings affecting a released version are communicated to active support customers within 3 business days of confirmation.

For all other security-related enquiries, contact [email protected] (PGP key fingerprint available on this page).

Trust package documents

Procurement-grade documents, each built to answer a specific procurement question.

Architecture & evidence

Regulatory posture

Continuity & risk

References & security

Subprocessors

Third parties HailBytes engages directly that touch operational data. The majority are US-based providers with US data-residency primaries, supporting the US Enterprise procurement diligence story end-to-end. Customer-elected integrations (Slack, SIEM destinations, threat-intel sources you configure) flow directly from your deployment and are not HailBytes' subprocessors.

  • GitHub, Inc. (Microsoft): source-code hosting, CI/CD, container registry, release distribution. US.
  • Microsoft Azure: Marketplace listing, Packer build VMs, Marketplace settlement metadata. East US 2 primary.
  • Amazon Web Services: Marketplace listing, Packer build VMs, Marketplace settlement metadata. us-east-1 primary.
  • Cloudflare, Inc.: marketing-site CDN/WAF, DNS, and the runtime host for HailBytes' own Support Hub (Workers + Pages + KV/D1). Global edge.
  • Sigstore (Linux Foundation): container-image signing for ASM (Fulcio CA, Rekor log). US public infrastructure.
  • Stripe, Inc.: direct-checkout billing where used outside cloud Marketplaces. US/EU.
  • Anthropic, PBC: internal LLM API use (test grading, documentation). No customer-tenant data. US.
  • Google LLC (Google Workspace): internal email, calendar, marketing email distribution, support-thread email contents. US.
  • Boden McHale (engineering services): contractor engagement under NDA + IP assignment; no default access to customer deployments. US.

Full list with data categories, locations, and contract status: Subprocessor list →

Current gaps

Where HailBytes is not yet — named clearly so reviewers can measure us against it.

HailBytes does not yet hold a SOC 2 attestation. The first third-party penetration test report is targeted for 2027-Q1. The DPO designation is published here before public-page publication on the privacy page. The first enterprise marquee references will, with the customer's permission, be added once contracts close.

Every dated commitment in the compliance roadmap is the position we want to be measured against.

Verify the claims yourself

Don't take our word for any of this — every claim above is independently checkable.

  • Signature verification: run cosign verify against the published ASM container images and check the Sigstore Rekor transparency log entry. The exact invocations live in each release's Trust Pack index.html.
  • BYOC architecture: deploy a fresh HailBytes ASM or SAT image in a sandbox cloud account, egress-restrict it, and run a representative workload. Confirm there is no inbound or outbound HailBytes traffic.
  • Internal dogfooding: request a walkthrough of HailBytes' own production deployment of ASM and SAT inside HailBytes' own cloud accounts.
  • Procurement diligence: live diligence calls with David McHale (LGPD encarregado / GDPR DPO) for direct Q&A on any of the artifacts on this page.

Email [email protected] to schedule a guided walkthrough.

Contact

Security questions

Vulnerability disclosure, security architecture questions, and trust package questions.

[email protected]

Contracts & DPA

Master agreement, DPA, certificate of insurance, named-additional-insured endorsement.

[email protected]

Data protection (LatAm & EU)

LGPD encarregado / GDPR DPO: David McHale. LGPD, GDPR, and data-subject-rights requests. For US privacy-law inquiries (CCPA, state-level), contact [email protected].

[email protected]