Trust Center
Security & Compliance
OpenHack is built by Titan Security Labs, Inc. Security is foundational to how we build and operate our platform. This page provides an overview of our compliance posture, security practices, and the third-party services we use.
Compliance Frameworks
HIPAA
CompliantBusiness Associate Agreements available. OpenHack does not process PHI as a primary function but maintains HIPAA-aligned safeguards for healthcare customers.
GDPR
CompliantEU data protection rights honored. Standard Contractual Clauses available for international transfers.
SOC 2 Type II
In ProgressSecurity, Confidentiality, and Availability trust principles. Audit underway with an accredited CPA firm.
ISO 27001
In ProgressInformation security management system certification. Audit underway with an accredited certification body.
Security Practices
Encryption at Rest
All data encrypted with AES-256 via AWS KMS. Database, object storage, and ephemeral compute volumes are all encrypted.
Encryption in Transit
TLS 1.2+ enforced on all external connections. API endpoints, inter-service communication, and database connections are encrypted.
No Persistent Code Storage
Source code is downloaded temporarily for analysis and deleted after scan completion. Only findings are retained.
Tenant Isolation
Strict organization-scoped access controls. Row-level data isolation, scoped API tokens, and SSO via WorkOS.
Access Control
MFA required for all infrastructure access. Least-privilege IAM policies. No shared credentials. Quarterly access reviews.
Audit Logging
Comprehensive logging via AWS CloudTrail and CloudWatch. Request-level trace IDs. Logs retained per compliance requirements.
Incident Response
Documented incident response plan with defined procedures for detection, containment, notification, and post-incident review.
Open Source Scanner
The OpenHack scanner CLI is fully open source. Inspect the code, audit the logic, and verify what runs on your codebase.
Subprocessors
OpenHack uses a limited set of third-party subprocessors to deliver our services. We evaluate each provider's security practices and maintain contractual data protection obligations with every subprocessor.
| Subprocessor | Purpose | Data Processed | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, compute, storage, database, logging | Source code (temporary), scan findings, application data, user account data | US (us-west-2) |
| Fireworks AI | LLM inference for vulnerability analysis | Source code snippets (temporary, for analysis only) | US |
| Temporal Technologies | Workflow orchestration | Workflow metadata (task IDs, status, timestamps) | US |
| WorkOS | Authentication and SSO | User email addresses, organization info, session tokens | US |
| Stripe | Payment processing | Billing information (name, email, payment method) | US |
| PostHog | Product analytics | Anonymized usage events (feature usage, page views) | US |
| Sentry | Error monitoring | Error metadata, stack traces, request context | US |
| Resend | Transactional email | Email addresses, notification content | US |
| Cloudflare | DNS, CDN, and edge compute | Request routing metadata, static assets | Global (edge) |
| GitHub | Source control and webhooks | Source code (customer-authorized), webhook event metadata | US |
To subscribe to subprocessor change notifications, contact privacy@openhack.com.
Data Handling
Source Code
Customer source code is accessed read-only via authorized GitHub integrations. Code is downloaded temporarily for analysis and deleted after scan completion. OpenHack does not modify, fork, or retain copies of customer repositories.
AI & Model Training
Customer data is never used to train, fine-tune, or improve any AI models. LLM inference is performed via API calls that do not retain input data. OpenHack's AI analysis is stateless — no customer data persists in the inference pipeline.
Data Retention & Deletion
Scan findings are retained for the duration of the customer's subscription. Upon contract termination, all customer data is deleted within 30 days. Customers may request deletion at any time by contacting privacy@openhack.com.
Contact
For security questions, BAA requests, DPA inquiries, or to report a vulnerability:
Security: security@openhack.com
Privacy: privacy@openhack.com