We secure you.
Here's how we secure ourselves.
A security vendor should answer the security questions you'd ask any vendor. This page is that answer — our own compliance posture, data handling, subprocessors, and incident response, published in the same detail we'd expect from anyone we evaluate.
Our compliance posture
Hiro is SOC 2 Type II in progress (targeted for Q2 2026 completion). We hold ourselves to the same bar we help customers reach. Our evidence is collected continuously by Hiro itself, audited by a Big-4-pedigreed CPA firm, and available under NDA on request. ISO 27001 is on the roadmap for late 2026.
Data we see, data we store
Hiro operates on read-only credentials by default. For the connected integrations we support (AWS, GitHub, Okta, Google Workspace, CrowdStrike, etc.), we read configuration, metadata, audit logs, and the minimum state needed to run a given task. We do not ingest or store customer user records, PII, customer secrets, or production data payloads. Draft artifacts (questionnaire answers, evidence packets) are retained only as long as the task requires plus a short audit window.
Where your data lives
All customer data is stored in AWS us-east-1 in dedicated accounts per environment. Encryption at rest uses AWS KMS with customer-scoped keys. Encryption in transit uses TLS 1.2+. Database-level row security isolates each customer organization; no shared tenant boundaries.
Who can access your data
Access to customer environments is scoped, logged, and gated by a break-glass approval flow. On-call Hiro security engineers can review risky-change proposals; access is time-boxed and tied to a specific task. No Hiro employee has standing production access.
How Hiro secures itself
Every commit to Hiro’s own codebase is reviewed by Hiro (we run the same MCP on ourselves). Dependencies are scanned against OSV on every merge. Infrastructure is monitored by Datadog and AWS GuardDuty. All Hiro employees use FIDO2 hardware keys with Okta-enforced MFA on every system. Laptops are managed by a mobile device management solution with full-disk encryption.
Subprocessors
AWS (hosting, KMS, storage), Anthropic (LLM inference for agents), OpenAI (LLM inference, fallback), Stripe (billing), Postmark (transactional email), Datadog (observability), GitHub (source control), Linear (internal project management). Full list with DPAs available on request.
Incident response
Hiro maintains a documented incident response plan with a 1-hour initial acknowledgment target and 24-hour customer notification SLA for any security incident that could affect customer data. Our status page at status.hiro.is publishes real-time availability. Security disclosures go to security@hiro.is and are acknowledged within 24 hours.
Responsible disclosure
Found a security issue in Hiro? Email security@hiro.is. We acknowledge in 24 hours, triage within 3 business days, and coordinate disclosure. We do not pursue legal action for good-faith research.
Want our SOC 2 report?
We send it under NDA to any prospect or customer. Ping us for a copy.
Request the report