Home Legal Security Policy
Security Policy · v2.0 · Effective April 5, 2026

Security by design, from your first call to your millionth.

hiroi protects the security, availability, and confidentiality of every call, transcript, contact record, and integration secret. Our controls are designed to align with SOC 2 Trust Service Criteria and support GDPR, TCPA, and CAN-SPAM compliance.

AES-256 at rest TLS 1.3 in transit 72-hour breach notification
Aligned withIndustry standards & frameworks
SOC 2 Type IIAligned
GDPREU / UK compliant
TCPATechnical safeguards
AES-256Encryption at rest
Four pillars

Defense in depth across every layer of the stack.

No single control protects your data. We run layered controls at the infrastructure, application, data, and operational layers — with continuous monitoring and audit trails across all four.

Infrastructure
Containerized deploys, network segmentation, and TLS termination at the edge. Cloudflare WAF + DDoS protection (SaaS) upstream of everything.
  • Azure Container Apps
  • US East 2 region
  • Cloudflare WAF (SaaS)
Application
Passkeys, 2FA, session-based auth, and org-scoped RBAC. CSRF and XSS controls on every state-changing request.
  • OAuth + Passkeys
  • Org-scoped RBAC
  • Redis rate limits
Data
AES-256 at rest, TLS 1.3 in transit. Recordings encrypted in Blob Storage. Secrets hashed, never logged, never in code.
  • AES-256 at rest
  • TLS 1.3 preferred
  • Encrypted backups
Operations
Automated alerting, incident response playbook, 72-hour breach notification, and responsible disclosure for security researchers.
  • 72h notification
  • Configurable retention
  • Responsible disclosure
Security architecture
EdgeTLS 1.3
Cloudflare CDN + WAF (SaaS)DDoS
ApplicationContainer secrets
Container AppsFlask
ACS WebhooksHMAC
DataAES-256
Azure SQL DatabaseAzure
Blob StorageRecordings
Architecture

Every tier isolated. Every link encrypted.

SaaS requests enter through Cloudflare, terminating TLS at the edge, before reaching a containerized Flask app running on Azure Container Apps. The database and telephony webhooks sit behind their own network boundary — no direct public exposure.

  • Network segmentation between application, database, telephony, and cache layers. No lateral paths.
  • HMAC signature verification on every inbound ACS webhook before any handler runs.
  • Zero secrets in code. API keys, DB strings, OAuth tokens — all in Azure Container Apps secrets.
  • Point-in-time recovery on Azure SQL Database, rapid container rollback, and durable campaign state after crash.
Data handling

How we classify and handle every piece of data.

Every field, record, and file in hiroi falls into one of four classifications — with handling rules that are enforced in code, not just policy.

ClassificationExamplesHandling
Confidential API keys, server secrets, 2FA secrets, ACS connection strings Encrypted or hashed at rest. Never logged, never exposed client-side. PBKDF2-SHA256 for API keys; Fernet encryption for 2FA.
Private Email addresses, phone numbers, call recordings, SMS content, conversation transcripts Access-controlled by organization membership. Retention limits enforced. Permanently deleted (not archived) at end of retention.
Internal Agent configurations, campaign settings, aggregate analytics Standard org-level access controls. IDOR prevention via JOIN queries requiring org membership.
Public Documentation, widget embed code, legal policies No restrictions. Published openly on hiroi.ai.
Responsible disclosure

Found a vulnerability? We want to hear from you.

We run an open responsible-disclosure program and do not take legal action against good-faith security researchers acting within our guidelines. Report anything you find — no matter how small — and we'll acknowledge you within 48 hours.

Email security@hiroi.ai 48h acknowledgment · 5-day initial assessment
Full policy

Security Policy — detailed controls

01Overview

hiroi is committed to maintaining the security, availability, and confidentiality of the hiroi omni-channel AI agent platform and the data it processes. This includes account data, contact records, call recordings, transcripts, SMS content, email campaigns, and Microsoft 365 integration data. Our security controls are designed to align with SOC 2 Trust Service Criteria.

02Infrastructure security

2.1 Hosting

  • Containerized deployment using Docker on Azure Container Apps for isolation and reproducibility
  • Application runs behind Cloudflare CDN (SaaS) with TLS termination and DDoS protection
  • Network segmentation between application, database (Azure SQL Database), telephony (ACS), and cache layers
  • Infrastructure hosted in Azure US East 2 region

2.2 Network security

  • All external traffic encrypted with TLS 1.2 or higher (TLS 1.3 preferred)
  • Content Security Policy (CSP) headers enforced
  • HTTP Strict Transport Security (HSTS) enabled
  • Cloudflare WAF (SaaS) for application-layer attack prevention

2.3 Database security

  • Azure SQL Database with authentication required for all connections
  • Database accessible only from the application network
  • Automated encrypted backups with point-in-time recovery
  • Connection strings stored in Azure Container Apps environment secrets, never in code

2.4 Telephony security

  • Azure Communication Services (ACS) for all voice calls and SMS
  • Inbound call webhooks validated with HMAC signature verification
  • Call recordings stored encrypted; access restricted by organization membership

03Application security

3.1 Authentication

  • Microsoft OAuth 2.0 (Entra ID): Secure enterprise authentication
  • Passkeys (WebAuthn): Phishing-resistant passwordless authentication
  • Magic links: Time-limited, single-use email tokens
  • Two-factor (TOTP): Second-factor authentication support
  • Sessions managed server-side with HttpOnly, Secure, SameSite cookie attributes

3.2 Authorization

  • Role-based access control (user, admin, organization member)
  • Resource-level authorization (IDOR prevention via JOIN queries requiring org membership)
  • API key scoping (widget-specific, non-transferable)
  • Organization-level data isolation

3.3 Input validation

  • Server-side validation on all inputs
  • Parameterized database queries (SQL injection prevention)
  • CSP headers (XSS prevention)
  • CSRF protection on all state-changing operations
  • Webhook payload signature verification before processing

3.4 Rate limiting

  • Redis-backed rate limiting on all API endpoints
  • Per-user and per-IP rate limits
  • Graduated limits for authentication endpoints
  • Widget chat and calling endpoints rate-limited per visitor/caller

04Data security

4.1 Encryption

  • In transit: TLS 1.2+ (TLS 1.3 preferred) for all communications
  • At rest: AES-256 encryption for database storage (provided by Azure SQL TDE)
  • Recordings: Encrypted at rest in Azure Blob Storage with managed keys
  • Secrets: API keys hashed with PBKDF2-SHA256; 2FA secrets encrypted with Fernet encryption
  • Backups: Database backups encrypted at rest using provider-managed keys

4.2 Access controls

  • Principle of least privilege for all system components
  • No shared accounts or credentials
  • API keys generated with sufficient entropy
  • Server secrets never exposed to client-side code

05Widget security

The embeddable chat widget supports two authentication modes:

  • Domain safelist: Origin header validation with exact domain matching
  • Session signed: HMAC-SHA256 signed tokens with configurable TTL

Neither mode exposes API keys or secrets in the browser. Signed tokens are site-specific and expire.

06Telephony & messaging

  • All inbound call events from ACS validated using event grid signature verification
  • A2P 10DLC registration required for US SMS traffic
  • SMS content never logged in plaintext in application logs
  • Opt-out keywords (STOP, UNSUBSCRIBE) processed automatically and irreversibly
  • Provisioned phone numbers are organization-scoped

07Operational security

7.1 Monitoring and logging

  • Comprehensive activity logging for all user and AI agent actions
  • Security event logging (auth failures, unusual activity)
  • Campaign and telephony logs for compliance audit
  • Audit trail preserved (anonymized) for a configurable retention period (default 90 days) after account deletion

7.2 Incident response

01 · Detect
Automated monitoring
Anomaly alerts across auth, API, and telephony layers.
02 · Contain
Isolate affected systems
Suspend accounts, revoke tokens, cut off lateral paths.
03 · Investigate
Root cause analysis
Timeline reconstruction from audit logs and metrics.
04 · Notify
72-hour breach window
Affected users notified within 72 hours of confirmed breach.
05 · Remediate
Patch & counter
Fix deployment with countermeasures and regression tests.
06 · Review
Post-incident
Process improvement and playbook updates.

7.3 Vulnerability management

  • Dependencies monitored for known vulnerabilities via automated scanning
  • Security patches applied promptly
  • Responsible disclosure program for external researchers

08Retention & disposal

Data is retained according to our Privacy Policy retention schedule. When data reaches end of retention:

  • Personal data is permanently deleted or anonymized — not archived
  • Call recordings are securely deleted from storage
  • Backup copies are removed within the backup rotation cycle
  • Deletion is logged in the audit trail

09Business continuity

  • Automated database backups with point-in-time recovery
  • Container-based deployment enables rapid recovery and rollback
  • Cloudflare CDN (SaaS) provides geographic redundancy for edge traffic
  • Campaign state is durable: paused campaigns resume from last completed step after recovery

10Compliance alignment

10.1 SOC 2

Our controls are designed to align with AICPA SOC 2 Trust Service Criteria across Security, Availability, Processing Integrity, Confidentiality, and Privacy.

10.2 GDPR

Data processing agreements with all sub-processors; data subject rights (access, portability, erasure, restriction, objection); consent management; 72-hour breach notification.

10.3 TCPA / CAN-SPAM

Automatic opt-out processing for SMS; do-not-contact flags that cannot be overridden by campaigns; unsubscribe link support; scheduling controls to prevent calls/SMS during restricted hours.

11Reporting vulnerabilities

If you discover a security vulnerability, please report it to security@hiroi.ai. We will:

  • Acknowledge receipt within 48 hours
  • Provide an initial assessment within 5 business days
  • Keep you informed of remediation progress
  • Not take legal action against good-faith security researchers acting within responsible disclosure guidelines

12Contact

For security-related inquiries:

hiroi — Security team
Email: security@hiroi.ai