Security at Heist

Heist protects customer data and platform integrity through security practices consistent with industry standards. This page describes the technical and organisational measures Heist maintains, as referenced in the Data Processing Agreement (Annex III).

Heist may update these measures from time to time, provided that updates do not materially decrease overall security.

Access control

All access follows the principle of least privilege and is managed through identity and access management (IAM). Account credentials are personal and must not be shared.

Encryption

All data in transit is protected with TLS (v1.2 or higher). All data at rest is encrypted using AES-256.

Data separation

Customer data is logically separated using a workspace architecture. Each customer's data is isolated within their own workspace.

Availability

Services run in high availability with automated scaling and redundancy.

Backups and recovery

Data is backed up daily with 30-day retention. Recovery procedures are in place to restore service in the event of data loss.

Monitoring and logging

Systems are continuously monitored. Logs are retained for audit and forensic purposes.

Secrets management

Sensitive keys and credentials are stored securely using GCP Secret Manager.

Development security

All code changes are reviewed and undergo automated testing. Security bugs are prioritised over feature work.

Threat detection

Production systems are protected by a web application firewall (WAF), DDoS protection, and monitoring tools.

Incident response

Customers are notified without undue delay of major security incidents, in accordance with the Data Processing Agreement (Section 5).

Cloud infrastructure

Heist is hosted on Google Cloud Platform (GCP) and Supabase, both in the EU. Authentication is handled by Supabase using industry-standard security.

Physical security

Heist relies on Google Cloud Platform's physical security controls, which include biometric access, 24/7 monitoring, and environmental protections across all data centre facilities.

Compliance

Heist's security programme follows the principles of SOC 2 and ISO 27001. Formal certifications will be pursued as the company scales.

Customer data handling

Heist does not actively extract customer data from tested systems. The Service operates through test accounts created by the customer. Where cross-tenant testing is required, Heist uses multiple dedicated workspaces. For how Heist handles personal data incidentally encountered during testing, see DPA Section 1.5.2.

Your code base

Heist performs grey-box testing, emulating an attacker with access to the customer's platform but not the codebase. No codebase access is required.