Legal · last updated May 2026
Trust & security
Hootleash is pre-launch. This page is a transparent statement of where we are today, where we're going, and how we think about security on the way.
Compliance roadmap
We're not yet certified against the standards below - that's not honest to claim before we've shipped. Here's what we're building toward, with realistic timing:
In progress
Target - pre-GA
Target - pre-GA
Target - pre-GA
Target - post-GA
Customer-deployable when needed
DPA + SCCs from day one
Roadmap item
Engaged with a third-party firm
Encryption & key management
AES-256-GCM at rest; TLS 1.3 in transit. Customer-managed keys via AWS KMS, GCP KMS, and Azure Key Vault are on the roadmap for the first release. Fast key rotation; HSM-backed root keys.
Data residency
Single-tenant and multi-tenant deployments are both planned. Region-pinned data planes are the default for design partners with cross-border data sensitivity.
Tenant isolation
Logical isolation for SaaS; hardware isolation for private VPC and government deployments. Independent control plane and data plane.
Incident response
We're staffing a small, senior security on-call rotation. Until then, design partners receive direct escalation to a founder.
Vulnerability disclosure
We run a coordinated disclosure program at security@hootleash.com. PGP key on request. We do not pursue legal action against good-faith researchers.
Subprocessors
The current subprocessor list is small and available upon request, and is also published in our DPA.