Our commitment
HoopAI is built on the principle that your data belongs to you. Our security program exists to protect it — we never sell your data, never share it across customers, and use it only as permitted in our Terms of Service and Privacy Policy. Our security program is driven by compliance and regulatory requirements as well as industry best practices including the OWASP Top 10 and the CIS Critical Security Controls.Infrastructure security
Cloud-hosted infrastructure
HoopAI production systems are hosted on Amazon Web Services (AWS) and Google Cloud Platform (GCP) — both SOC 2 Type 2 and ISO 27001 certified providers with dedicated security staff, strictly managed physical access control, and 24/7 video surveillance.
Regional data hosting
Customers have the option to store their data in US or EU data center regions. Existing customers can migrate between regions using our data migration tools.
Physical security
All data centers feature multi-factor access controls, biometric authentication, security guards, and continuous video monitoring. Physical access is restricted to authorized personnel only.
Redundancy
Production systems are deployed across multiple availability zones for high availability and fault tolerance, with automated failover capabilities.
Data encryption
All data is encrypted both at rest and in transit using industry-standard protocols.| Layer | Method | Details |
|---|---|---|
| At rest | AES-256 CBC | Physical and virtualized hard drives, database storage, backups |
| In transit | TLS v1.2+ | All API calls, authenticated sessions, inter-service communication |
| Web traffic | SSL/HTTPS | Standard SSL certificates on all HoopAI-hosted content by default |
| Passwords | Hashed + encrypted | User passwords are hashed using industry-standard algorithms and encrypted at rest |
| Key management | AWS KMS / GCP KMS | Encryption keys managed through cloud-native key management services with automatic rotation |
Access controls
Role-based access control (RBAC)
Role-based access control (RBAC)
HoopAI enforces finely-grained authorization rules. Customers can create and manage users, assign roles, and configure permissions at the feature and field level. Access follows the principle of least privilege — users receive only the permissions necessary for their role.
Subaccount-based authentication
Subaccount-based authentication
Each customer account is logically isolated with subaccount-based authentication. Data is partitioned at the account level to prevent cross-account data access.
Encrypted signed tokens
Encrypted signed tokens
API authentication uses encrypted signed tokens with defined scopes and expiration. Tokens are validated on every request.
Password protection
Password protection
The platform enforces a uniform password policy requiring a minimum of 8 characters with a combination of uppercase and lowercase letters, numbers, and special characters.
Two-factor authentication (2FA)
Two-factor authentication (2FA)
All users are encouraged to enable 2FA on their accounts. Two-factor authentication requires verification via a second device (e.g., authenticator app or SMS) at login.
Single sign-on (SSO)
Single sign-on (SSO)
SAML-based SSO integrated with any SAML-based identity provider is available with enterprise-tier subscriptions. Google sign-in is available on all plans.
Network security
Endpoint protection
All endpoints are monitored with enterprise-grade endpoint detection and response (EDR) solutions.
Managed firewalls
Network traffic is filtered through managed firewalls with strict ingress and egress rules.
DDoS protection
Distributed denial-of-service protection is deployed at the network edge to absorb and mitigate volumetric attacks.
Network segmentation
Production, staging, and development environments are logically segmented to limit lateral movement.
Application security
Standardized container images
Standardized container images
All production services run on standardized, hardened container images with minimal attack surface. Images are scanned for vulnerabilities before deployment.
Version-controlled configurations
Version-controlled configurations
Infrastructure and application configurations are managed through version control with code review requirements, ensuring all changes are auditable and reversible.
Automatic updates
Automatic updates
Dependencies and base images are regularly updated to incorporate the latest security patches. Automated pipelines ensure timely deployment of critical updates.
Secure development lifecycle
Secure development lifecycle
Our engineering team follows secure coding practices aligned with the OWASP Top 10. Code undergoes peer review and automated security scanning before deployment.
Monitoring and logging
- Google Cloud Ops and AWS CloudWatch provide real-time infrastructure monitoring, alerting, and anomaly detection
- Audit logs capture all user actions, administrative changes, and data access events
- Centralized log management aggregates logs across all services for correlation and forensic analysis
- Alerting is configured for suspicious activity, unauthorized access attempts, and system anomalies
- Third-party MSSP SOC monitoring provides 24/7 security operations center oversight
Incident response
HoopAI maintains a formal incident response plan with defined escalation procedures.| Phase | Description |
|---|---|
| Detection | Automated monitoring and alerting identify potential security incidents in real time |
| Containment | Immediate containment measures are enacted to limit the scope and impact of an incident |
| Investigation | Root cause analysis is performed to understand the nature and extent of the incident |
| Remediation | Affected systems are restored, vulnerabilities are patched, and preventive measures are implemented |
| Notification | Affected customers are notified within 72 hours of a confirmed data breach, in accordance with applicable law |
| Post-incident review | A post-mortem review is conducted to identify lessons learned and improve response procedures |
Vulnerability management
Third-party vulnerability scans
Third-party vulnerability scans
Regular automated vulnerability scans are performed across all production systems using industry-leading scanning tools.
Annual penetration testing
Annual penetration testing
HoopAI engages independent third-party security firms to conduct annual penetration tests against our production environment. Findings are remediated according to severity.
Patch management
Patch management
Critical security patches are applied within defined SLAs. A structured patch management process ensures timely remediation without service disruption.
Vulnerability disclosure
Vulnerability disclosure
You are permitted to penetration test HoopAI products as long as you adhere to our published guidelines and submit findings through our vulnerability disclosure program. Report vulnerabilities to security@hoopai.com.
Business continuity
- Backup frequency: 5-minute granularity for production databases (AWS and Google Cloud)
- Backup storage: Encrypted backups stored across multiple availability zones
- Restore capability: Point-in-time recovery available for all critical data stores
- Disaster recovery: Documented disaster recovery procedures with defined RPO and RTO targets
- Uptime commitment: 99.95% monthly uptime for subscription services (see Product-Specific Terms)
Compliance and certifications
| Certification / Framework | Status |
|---|---|
| SOC 2 Type 2 | Maintained — attesting to availability, confidentiality, and security controls |
| ISO 27001 | Infrastructure providers (AWS, GCP) certified |
| EU-U.S. Data Privacy Framework | Certified |
| UK Extension to EU-U.S. DPF | Certified |
| Swiss-U.S. Data Privacy Framework | Certified |
| HIPAA Seal of Compliance | Achieved through Compliancy Group |
| GDPR | Compliant — see our Data Processing Agreement |
| OWASP Top 10 | Security controls aligned |
| CIS Critical Security Controls | Security program guided by CIS benchmarks |
To request a copy of our SOC 2 Type 2 report, please contact legal@hoopai.com.
Employee security
- All employees and contractors are bound by confidentiality obligations as part of their employment or engagement agreements
- Access to customer data is restricted on a need-to-know basis aligned with job function
- In-house IT security team manages day-to-day security operations
- Third-party Managed Security Service Provider (MSSP) provides 24/7 SOC monitoring
- Security awareness training is conducted regularly for all personnel
- Background checks are performed for employees with access to production systems
Data minimization and quality
- HoopAI collects only the minimum data required to provide requested services
- Many data fields are optional — customers control what information they store
- Two-factor authentication is available to ensure data quality by verifying user identity
- Permanent record deletion capabilities support GDPR right-to-erasure requests
- Data retention policies ensure data is not kept longer than necessary
Your responsibilities
While HoopAI provides a secure platform, security is a shared responsibility. We recommend that customers:- Enable two-factor authentication on all user accounts
- Use strong, unique passwords and rotate them regularly
- Configure user roles and permissions following the principle of least privilege
- Review audit logs regularly for unusual activity
- Keep integrations and connected third-party applications up to date
- Report suspected security issues promptly
Report a vulnerability
If you discover a security vulnerability in the HoopAI platform, please report it responsibly:- Email: security@hoopai.com
- Include a detailed description of the vulnerability, steps to reproduce, and any supporting evidence
- We will acknowledge receipt within 48 hours and provide an initial assessment within 5 business days
- We do not pursue legal action against security researchers who act in good faith
Contact us
If you have questions about HoopAI’s security practices, please contact us:- Security issues: security@hoopai.com
- Legal and compliance: legal@hoopai.com
- General inquiries: hoopai.com/contact