The checklist
1. Enable two-factor authentication for all users
Two-factor authentication (2FA) is the single most effective step you can take. Require every user on your account to enable it.- Go to Settings > Security > Two-Factor Authentication
- Toggle Require 2FA for all users
- Users who haven’t set up 2FA will be prompted on their next login
2. Use strong, unique passwords
Every HoopAI user should follow these rules:| Rule | Why it matters |
|---|---|
| Minimum 12 characters | Short passwords are easily brute-forced |
| Mix of uppercase, lowercase, numbers, symbols | Increases entropy |
| Never reuse passwords across services | A breach on another site won’t compromise HoopAI |
| Use a password manager | Removes the need to memorize complex passwords |
Admins can enforce a minimum password length and complexity policy in Settings > Security > Password Policy.
3. Review user permissions regularly
Over time, users accumulate permissions they no longer need.- Go to Settings > My Staff and review each user’s role
- Apply the principle of least privilege — give users only the access they need
- Downgrade roles for users who have changed responsibilities
- Audit permissions at least once per quarter
4. Audit login history
Monitor who is accessing your account and from where.- Go to Settings > Audit Logs to review login events
- Look for logins from unexpected IP addresses or locations
- Investigate any failed login attempts that might indicate a brute-force attack
5. Remove inactive users
Dormant accounts are a security risk — they can be compromised without anyone noticing.- Review users who haven’t logged in for 90+ days
- Deactivate or delete accounts that are no longer needed
- Document a process for offboarding departing team members promptly
6. Review API keys and revoke unused ones
API keys provide programmatic access to your entire account.- Go to Settings > API Keys
- Review each key’s last-used date
- Revoke any key that is no longer in active use
- Never share API keys in emails, chat messages, or public repositories
- Rotate keys periodically (every 90 days is a good baseline)
7. Review connected integrations
Third-party integrations may have broad access to your data.- Go to Settings > Integrations
- Review each connected app and its permission scope
- Disconnect integrations you no longer use
- Verify that each integration is from a trusted vendor
8. Enable SSO for enterprise accounts
If you are on an Enterprise plan, SSO centralizes authentication and lets you enforce your organization’s security policies.- Configure SAML-based SSO with your identity provider
- Enforce SSO so users cannot bypass it with password login
- See SSO and SAML configuration for setup instructions
9. Configure trusted IP ranges
If your team only works from known locations or VPNs, restrict access to those IPs.- Go to Settings > Security > IP Restrictions (Enterprise plan)
- Add your office, VPN, or data center IP ranges
- Users outside these ranges will be blocked from logging in
IP restrictions apply to browser and API access. Make sure to include IPs for any third-party services that call the HoopAI API.
10. Set session timeout
Reduce the risk of unattended sessions by configuring automatic logout.- Go to Settings > Security > Session Settings
- Set the idle timeout (recommended: 30 minutes for sensitive accounts, 8 hours for general use)
- Users will be logged out after the configured period of inactivity
11. Report a security incident
If you suspect unauthorized access or a data breach:12. Security certifications and compliance
HoopAI maintains industry-standard security certifications and compliance frameworks.| Certification | Status |
|---|---|
| SOC 2 Type II | Certified |
| GDPR | Compliant |
| CCPA | Compliant |
| HIPAA | Available on Enterprise (BAA required) |
| Data encryption at rest | AES-256 |
| Data encryption in transit | TLS 1.2+ |
Quick-reference checklist
Use this summary to track your progress:| # | Action | Priority | Status |
|---|---|---|---|
| 1 | Enable 2FA for all users | Critical | ☐ |
| 2 | Enforce strong passwords | Critical | ☐ |
| 3 | Review user permissions | High | ☐ |
| 4 | Audit login history | High | ☐ |
| 5 | Remove inactive users | High | ☐ |
| 6 | Review and rotate API keys | High | ☐ |
| 7 | Review connected integrations | Medium | ☐ |
| 8 | Enable SSO (Enterprise) | Medium | ☐ |
| 9 | Configure trusted IP ranges | Medium | ☐ |
| 10 | Set session timeout | Medium | ☐ |
| 11 | Know your incident response plan | Medium | ☐ |
| 12 | Verify compliance needs | Low | ☐ |
FAQ
How often should I review this checklist?
How often should I review this checklist?
Perform a full review quarterly. Items 1-2 (2FA and passwords) should be enforced continuously via policy settings. Items 3-6 deserve monthly attention if your team changes frequently.
Can I export audit logs?
Can I export audit logs?
Yes. Go to Settings > Audit Logs, set your date range, and click Export CSV. Logs are retained for 12 months on Professional plans and 24 months on Enterprise.
Does HoopAI support hardware security keys (FIDO2/WebAuthn)?
Does HoopAI support hardware security keys (FIDO2/WebAuthn)?
Hardware security key support depends on your plan and configuration. Check Settings > Security > Two-Factor Authentication to see available 2FA methods for your account.
What data does HoopAI encrypt?
What data does HoopAI encrypt?
All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Database backups are also encrypted. File attachments in media storage are encrypted at rest on the storage layer.
How do I get a BAA for HIPAA compliance?
How do I get a BAA for HIPAA compliance?
Contact your account manager or email compliance@hoopai.com to request a Business Associate Agreement. A BAA is available on Enterprise plans only.