Disclaimer:

Hashmon provides risk intelligence for informational purposes only. It does not constitute legal, financial, or security advice. Always validate critical decisions independently and follow applicable laws and contracts.

Security & Trust

Security at Hashmon

Our platform is built with defense-in-depth across people, process, and technology.

Defense in Depth

Best practice

Multiple layers of controls from code to cloud.

  • RBAC everywhere
  • Scoped service accounts
  • WAF & rate limiting

Encryption

By default

TLS 1.2+ in transit, AES-256 at rest.

  • HSTS enforced
  • PFS ciphers
  • Encrypted backups

Secrets & Keys

KMS

KMS-backed storage and rotation policies.

  • No secrets in git
  • Per-env isolation
  • Short-lived tokens

Webhooks

HMAC

HMAC-SHA256 signatures & replay protection.

  • Header signature
  • 5-min window
  • Optional IP allowlist

Payments Scope

PCI SAQ A

Hosted fields keep us in PCI SAQ A.

  • No PAN on our servers
  • Provider receipts
  • Tokenized flows

Monitoring

24×7

Centralized logs, metrics, alerts & on-call.

  • Anomaly detection
  • Error budgets
  • Runbooks & drills
TL;DR: Encryption in transit & at rest, strict RBAC, signed webhooks, hosted payments (PCI SAQ A), and 24×7 monitoring with documented incident response.

Principles

  • Least privilege: Access is role-based and time-bounded.
  • Encrypted by default: Data is protected in transit and at rest.
  • Zero trust mindset: Every request is authenticated and authorized.
  • Defense in depth: Multiple layers of controls and monitoring.

Data Protection

  • In transit: TLS 1.2+ with modern ciphers for public endpoints; HSTS enabled.
  • At rest: Provider-managed disk encryption (AES-256) for databases, volumes, and object storage.
  • Secrets: Managed via encrypted secrets store; never checked into source control.
  • Backups: Automated daily snapshots with PITR where supported; periodic restore tests.
  • Data segregation: Production and non-production data are physically/logically separated.

Application Security

  • Secure SDLC: PR reviews, required approvals, and CI checks (lint, type-check, tests).
  • Dependency hygiene: Vulnerability alerts & lockfile pinning.
  • Static analysis: SAST on critical services; secrets scanning in CI.
  • Runtime protections: WAF/rate limiting on public APIs; abuse detection & throttling.
  • Isolation: Least-privileged service accounts; minimal egress; scoped API keys.

Authentication & Authorization

  • MFA/SSO: Admin and engineering accounts require MFA; SSO available for enterprise plans.
  • RBAC: Granular roles control access to projects, checks, webhooks, and billing.
  • Session security: HttpOnly, SameSite, Secure cookies; short-lived tokens with rotation.
  • Audit trails: Key administrative actions and webhook changes are logged.

Infrastructure & Network

  • Cloud hardening: Private networks for internal services; security groups restrict east-west traffic.
  • Secrets/keys: KMS-backed encryption; key rotation policies for critical credentials.
  • Observability: Centralized logs, metrics, and alerts with on-call for high-severity incidents.

Payments & PCI Scope

We use hosted payment pages/tokens via our partners so card data never touches our servers. This keeps us in PCI DSS SAQ A scope. Receipts and card details are handled by the provider.

Webhooks Security

  • HMAC signatures: All webhook events are signed with an HMAC-SHA256 secret per environment.
  • Replay protection: Timestamps and short acceptance windows prevent replays.
  • IP allow-listing: Enterprise customers can request source IP ranges for filtering.

Vulnerability Management

  • Patching: Regular dependency and base-image updates; emergency patch SLAs for critical CVEs.
  • Testing: Targeted penetration testing and threat modeling for new surfaces.
  • Disclosure program: Responsible disclosure welcomed at security@hashmon.com. (Include repro steps and impact; don’t test against real user data.)

Compliance & Privacy

  • Data minimization: We collect only what’s required for the check.
  • Retention: Purpose-based retention; deletion on request where applicable.
  • Subprocessors: We maintain a list of infrastructure/analytics vendors and DPAs where applicable. Contact privacy@hashmon.com for details.

Incident Response

  • Runbooks: Documented severity levels, ownership, and escalation paths.
  • Detection: Alerting on anomalous auth patterns, error bursts, and privileged actions.
  • Communication: We notify impacted customers without undue delay and provide updates until resolution.

Status & Uptime

We operate with availability SLOs appropriate for production usage. A public status page and historical uptime will be available at status.hashmon.com (coming soon).

Contact

Security: security@hashmon.com
Privacy: privacy@hashmon.com