New: Hoopoe Studio brings every channel into one calm workflow.See what’s new

Security & Trust Centre

Built for review boards.

Security is a product requirement in Hoopoe, not a final deployment task. Review how we approach isolation, encryption, auditability, AI governance, and recovery.

Encryption

  • TLS 1.2+ in transit
  • Managed database encryption at rest
  • Encrypted backups and object storage

Identity controls

  • Email and Google sign-in
  • Session management
  • MFA, SSO, and SCIM on roadmap

Tenant isolation

  • Workspace-scoped resources
  • Deny-by-default authorization
  • Server-side permission checks

Responsible AI

  • Human approval before publish
  • Workspace-scoped prompts
  • Prompt and output audit trail

Current Controls

  • Email/password auth
  • Google OAuth
  • Supabase managed encryption
  • Workspace-scoped data model

Roadmap Controls

  • TOTP MFA
  • SAML SSO
  • SCIM provisioning
  • Device and session review

Data processing

Your data is yours.

Hoopoe collects only what is needed, scopes prompts and outputs to a workspace, and does not use customer content to train external models without explicit opt-in. Retention is configurable for enterprise workspaces.

We distinguish aligned controls from certifications. Hoopoe does not claim SOC 2 or ISO certification until audits are complete.

Current subprocessors

ProviderPurposeData
SupabaseDatabase, auth, storageCustomer data
OpenAIAI generationContent prompts and outputs
StripePayment processingBilling data
Hosting platformApplication hostingApplication data

Retention and data rights

Active subscription data is retained while the workspace is active. Export, correction, deletion, and objection workflows follow GDPR-aligned handling.

Incident response

Detection, triage, containment, communication, eradication, recovery, and lessons learned are tracked through a formal process.

Business continuity

Automated backups, restoration tests, recovery objectives, and disaster recovery exercises are part of the operating model.

Responsible AI controls

Human approval before publishing
Source grounding in approved knowledge
Restricted language enforcement
AI-generated content disclosure
Sensitive-topic escalation
Model and prompt logging

Compliance roadmap

FrameworkStatusTarget
GDPRAlignedCurrent
CCPAAlignedCurrent
SOC 2 Type IIPlannedQ4 2026
ISO 27001Planned2027
HIPAANot planned-

Need a security review packet?

Request architecture notes, subprocessor details, controls, recovery targets, and the current compliance roadmap.

Contact security