Trust Center

Security & Compliance

OpenHack is built by Titan Security Labs, Inc. Security is foundational to how we build and operate our platform. This page provides an overview of our compliance posture, security practices, and the third-party services we use.

Compliance Frameworks

HIPAA

Compliant

Business Associate Agreements available. OpenHack does not process PHI as a primary function but maintains HIPAA-aligned safeguards for healthcare customers.

GDPR

Compliant

EU data protection rights honored. Standard Contractual Clauses available for international transfers.

SOC 2 Type II

In Progress

Security, Confidentiality, and Availability trust principles. Audit underway with an accredited CPA firm.

ISO 27001

In Progress

Information security management system certification. Audit underway with an accredited certification body.

Security Practices

Encryption at Rest

All data encrypted with AES-256 via AWS KMS. Database, object storage, and ephemeral compute volumes are all encrypted.

Encryption in Transit

TLS 1.2+ enforced on all external connections. API endpoints, inter-service communication, and database connections are encrypted.

No Persistent Code Storage

Source code is downloaded temporarily for analysis and deleted after scan completion. Only findings are retained.

Tenant Isolation

Strict organization-scoped access controls. Row-level data isolation, scoped API tokens, and SSO via WorkOS.

Access Control

MFA required for all infrastructure access. Least-privilege IAM policies. No shared credentials. Quarterly access reviews.

Audit Logging

Comprehensive logging via AWS CloudTrail and CloudWatch. Request-level trace IDs. Logs retained per compliance requirements.

Incident Response

Documented incident response plan with defined procedures for detection, containment, notification, and post-incident review.

Open Source Scanner

The OpenHack scanner CLI is fully open source. Inspect the code, audit the logic, and verify what runs on your codebase.

Subprocessors

OpenHack uses a limited set of third-party subprocessors to deliver our services. We evaluate each provider's security practices and maintain contractual data protection obligations with every subprocessor.

SubprocessorPurposeLocation
Amazon Web Services (AWS)Cloud infrastructure, compute, storage, database, loggingUS (us-west-2)
Fireworks AILLM inference for vulnerability analysisUS
Temporal TechnologiesWorkflow orchestrationUS
WorkOSAuthentication and SSOUS
StripePayment processingUS
PostHogProduct analyticsUS
SentryError monitoringUS
ResendTransactional emailUS
CloudflareDNS, CDN, and edge computeGlobal (edge)
GitHubSource control and webhooksUS

To subscribe to subprocessor change notifications, contact privacy@openhack.com.

Data Handling

Source Code

Customer source code is accessed read-only via authorized GitHub integrations. Code is downloaded temporarily for analysis and deleted after scan completion. OpenHack does not modify, fork, or retain copies of customer repositories.

AI & Model Training

Customer data is never used to train, fine-tune, or improve any AI models. LLM inference is performed via API calls that do not retain input data. OpenHack's AI analysis is stateless — no customer data persists in the inference pipeline.

Data Retention & Deletion

Scan findings are retained for the duration of the customer's subscription. Upon contract termination, all customer data is deleted within 30 days. Customers may request deletion at any time by contacting privacy@openhack.com.

Contact

For security questions, BAA requests, DPA inquiries, or to report a vulnerability: