Terms of Service Privacy Policy Cookie Policy Acceptable Use
Security Policy Data Processing Agreement Subprocessors

Security Policy

Effective Date: April 5, 2026 Last Updated: May 24, 2026 Version: 2.1

1. Overview

hiroi is committed to maintaining the security, availability, and confidentiality of the hiroi omni-channel AI agent platform and the data it processes. This includes account data, contact records, call recordings, transcripts, SMS content, email campaigns, and third-party integration data.

Our security controls are designed to align with SOC 2 Trust Service Criteria.

2. Infrastructure Security

2.1 Hosting

  • Containerized deployment using Docker on Azure Container Apps for isolation and reproducibility
  • Application runs behind Cloudflare CDN with TLS termination and DDoS protection
  • Network segmentation between application, database (Azure SQL Database), telephony (Azure Communication Services), and cache layers
  • Infrastructure hosted in Azure US East 2 region

2.2 Network Security

  • All external traffic encrypted with TLS 1.2 or higher (TLS 1.3 preferred)
  • Content Security Policy (CSP) headers enforced
  • HTTP Strict Transport Security (HSTS) enabled
  • Firewall rules restricting unnecessary inbound/outbound traffic
  • Cloudflare Web Application Firewall (WAF) for application-layer attack prevention

2.3 Database Security

  • Azure SQL Database with authentication required for all connections
  • Database accessible only from the application network
  • Automated encrypted backups with point-in-time recovery
  • Connection string secrets stored in Azure Container Apps environment secrets, never in code

2.4 Telephony Security

  • Azure Communication Services (ACS) used for all voice calls, SMS, and email delivery
  • Inbound call webhooks validated with HMAC signature verification
  • Phone numbers provisioned and managed through ACS; not directly accessible to end users
  • Call recordings stored encrypted; access restricted by organization membership

2.5 Content Safety

  • Azure AI Content Safety runs per-message analysis on all widget chat interactions before AI processing
  • Text is evaluated for hate, sexual content, self-harm, and violence severity
  • Jailbreak and prompt-injection detection via shield analysis
  • Content flagged above severity thresholds is blocked before reaching the AI model
  • Fail-open design: content safety outages do not block chat but are logged for review

2.6 Outbound Actions Security

  • All outbound HTTP integrations (event webhooks, AI-triggered actions, form submissions) are signed using HMAC-SHA256 (Stripe signing pattern, X-Hiroi-Signature: t=<ts>,v1=<hex>)
  • SSRF protection: outbound action URLs are validated against a safelist to prevent server-side request forgery
  • All delivery attempts are logged for audit

3. Application Security

3.1 Authentication

  • OAuth 2.0: Secure third-party authentication via Google, Apple, and Microsoft
  • Magic Links: Time-limited, single-use email authentication tokens
  • Sessions managed server-side with secure cookie attributes (HttpOnly, Secure, SameSite)

3.2 Authorization

  • Role-based access control (user, admin, organization member)
  • Resource-level authorization checks (IDOR prevention via JOIN queries requiring org membership)
  • API key scoping (widget-specific, non-transferable)
  • Organization-level data isolation: users can only access data belonging to their organization

3.3 Input Validation

  • Server-side validation on all inputs
  • Parameterized database queries (SQL injection prevention)
  • Content Security Policy headers (XSS prevention)
  • CSRF protection on all state-changing operations
  • Webhook payload signature verification before processing

3.4 Rate Limiting

  • Redis-backed rate limiting on all API endpoints
  • Per-user and per-IP rate limits
  • Graduated limits for authentication endpoints
  • Widget chat and calling endpoints rate-limited per visitor/caller
  • Campaign dispatch rate limits to prevent carrier abuse

4. Data Security

4.1 Encryption

  • In Transit: TLS 1.2+ (TLS 1.3 preferred) for all communications
  • At Rest: AES-256 encryption for database storage (provided by Azure SQL Transparent Data Encryption)
  • Call Recordings: Encrypted at rest in Azure Blob Storage with managed keys
  • Secrets: API keys hashed with SHA-256 before storage; OAuth tokens encrypted with Fernet (AES-128-CBC)
  • Backups: Database backups encrypted at rest using Azure-managed encryption keys

4.2 Access Controls

  • Principle of least privilege for all system components
  • No shared accounts or credentials
  • API keys generated with sufficient entropy
  • Server secrets never exposed to client-side code
  • Call recordings accessible only to users with membership in the relevant organization

4.3 Data Classification

Classification Examples Handling
Confidential API keys, server secrets, OAuth tokens, ACS connection strings Encrypted/hashed, never logged
Private Email addresses, phone numbers, call recordings, SMS content, conversation transcripts Access-controlled, retention limits enforced
Internal AI agent configurations, campaign settings, analytics (aggregate) Standard org-level access controls
Public Documentation, widget embed code, legal policies No restrictions

5. Widget Security

5.1 Authentication Modes

  • Domain Safelist: Origin header validation with exact domain matching
  • Session Signed: HMAC-SHA256 signed tokens with configurable TTL
  • Neither mode exposes API keys or secrets in the browser

5.2 Client-Side Security

  • No secrets embedded in widget JavaScript
  • Origin validation prevents cross-site misuse
  • Signed tokens are site-specific and expire

6. Telephony and Messaging Security

6.1 Call Webhook Validation

All inbound call events from Azure Communication Services are validated using event grid signature verification before processing.

6.2 SMS Security

  • A2P 10DLC registration is required for US SMS traffic; hiroi enforces registration requirements
  • SMS content is not logged in plaintext in application logs
  • Opt-out keywords (STOP, UNSUBSCRIBE) are processed automatically and irreversibly

6.3 Phone Number Security

  • Provisioned phone numbers are organization-scoped; numbers cannot be transferred between organizations without explicit action
  • Number release requires account confirmation

7. Third-Party Integration Security

  • OAuth tokens for connected accounts (Google, Apple, Microsoft) are stored encrypted and scoped to the minimum required permissions
  • Token refresh is handled server-side; access tokens are never sent to the client browser
  • Revoking hiroi's access via your account provider's settings immediately terminates the integration
  • Enterprise deployments use a single Azure AD app registration with admin-consented permissions, eliminating per-user prompts

8. Operational Security

8.1 Monitoring and Logging

  • Comprehensive activity logging for all user and AI agent actions
  • Security event logging (authentication, authorization failures, unusual activity)
  • Campaign and telephony logs for compliance audit purposes
  • Audit trail preserved even after account deletion (in anonymized form for 2 years)

8.2 Incident Response

We maintain an incident response process that includes:

  1. Detection: Automated monitoring and alerting for security anomalies
  2. Containment: Immediate isolation of affected systems or accounts
  3. Investigation: Root cause analysis and impact assessment
  4. Notification: Affected users notified within 72 hours of confirmed breach
  5. Remediation: Fix deployment and countermeasures
  6. Review: Post-incident review and process improvement

8.3 Vulnerability Management

  • Dependencies monitored for known vulnerabilities (automated scanning)
  • Security patches applied promptly
  • Responsible disclosure program for external researchers

9. Data Retention and Disposal

Data is retained according to our Privacy Policy retention schedule. When data reaches end of retention:

  • Personal data is permanently deleted or anonymized (not merely archived)
  • Call recordings are securely deleted from storage
  • Backup copies are removed within the backup rotation cycle
  • Deletion is logged in the audit trail

10. Business Continuity

  • Automated database backups with point-in-time recovery
  • Container-based deployment enables rapid recovery and rollback
  • Cloudflare CDN provides geographic redundancy for edge traffic
  • Documented recovery procedures for application and database restoration
  • Campaign state is durable: paused campaigns resume from the last completed step after recovery

11. Compliance

11.1 SOC 2 Alignment

Our security controls are designed to align with AICPA SOC 2 Trust Service Criteria:

  • Security: Access controls, encryption, monitoring, vulnerability management
  • Availability: Infrastructure redundancy, incident response, capacity monitoring
  • Processing Integrity: Input validation, webhook signature verification, error handling
  • Confidentiality: Data classification, encryption, access controls, NDA for staff
  • Privacy: Data minimization, retention limits, user rights, consent management

11.2 GDPR Alignment

We implement measures to support GDPR compliance:

  • Data processing agreements with all sub-processors
  • Data subject rights (access, portability, erasure, restriction, objection)
  • Consent management and tracking (including call/SMS consent records)
  • Breach notification within 72 hours
  • Data protection impact assessments for high-risk processing

11.3 HIPAA Alignment

For customers handling protected health information (PHI):

  • Azure infrastructure is HIPAA eligible; Business Associate Agreement (BAA) available through Microsoft Azure
  • Enterprise (self-hosted) deployments run entirely within the customer's Azure tenant for full data residency control
  • Azure AI Content Safety filters sensitive health-related content before AI processing

11.4 TCPA / CAN-SPAM Alignment

We implement technical safeguards to support customer compliance:

  • Automatic opt-out processing for SMS (STOP keywords)
  • Do-not-contact flags on contacts that cannot be overridden by campaigns
  • Unsubscribe link support in email campaigns
  • Campaign scheduling controls to prevent calls/SMS during restricted hours

12. Reporting Vulnerabilities

If you discover a security vulnerability, please report it to:

Email: security@hiroi.ai

We appreciate responsible disclosure and will:

  • Acknowledge receipt within 48 hours
  • Provide an initial assessment within 5 business days
  • Keep you informed of remediation progress
  • Not take legal action against good-faith security researchers acting within responsible disclosure guidelines

13. Contact

For security-related inquiries:

hiroi - Security Email: security@hiroi.ai

Cookie Preferences

We use essential cookies to make our service work. You can choose to enable optional cookies for a better experience. Learn more

Cookie Preferences

Essential

Required for the service to function

Always On

Analytics

Help us understand how the service is used