Security & Compliance
We're committed to securing your data, eliminating systems vulnerability, and ensuring continuity of access.
Security is directed and maintained by the HookFeed Engineering leadership team.
Our Core Commitments
Secure Traffic
All application, database, webhook ingestion, and API traffic is encrypted via TLS/HTTPS.
Encrypted Storage
Data stores are encrypted at the disk level. Sensitive configuration data (such as webhook secrets) is encrypted within the database.
You Control What You Send
HookFeed receives only the webhook data you choose to send us. We provide filtering tools so you can control which events are processed. We recommend configuring your webhook sources to exclude sensitive data before sending. We never reach into your third-party accounts — you push data to us.
Minimal Data by Design
Our storage architecture retains event data in accordance with your plan retention period. When service is cancelled, all data is deleted.
Penetration Testing
Annual security and penetration testing is conducted by a third-party firm, with new vulnerabilities addressed routinely.
Employee Access
Employees receive training and background checks, and use full-disk encryption, VPNs, password managers, and 2FA wherever available.
Account Access
Only authorized members of the Engineering team have access to customer account data, on an as-needed basis behind two-factor authentication.
Webhook Ingestion Security
Inbound Webhook URLs
Each data source in HookFeed is assigned a unique, unguessable webhook URL. These URLs should be treated as confidential credentials. If you believe a webhook URL has been compromised, you can regenerate it at any time from your dashboard.
Webhook Signature Verification
HookFeed supports webhook signature verification for providers that sign their payloads (such as Stripe, Shopify, and others). When a webhook secret is configured for a data source, HookFeed will verify the signature of each incoming payload and reject any that fail verification.
Rate Limiting
Webhook ingestion endpoints support rate limiting to protect against abuse and denial-of-service attacks.
Data Filtering and Transformation
HookFeed provides filtering tools so customers can control which events are processed and displayed. We recommend that customers configure their webhook sources to exclude sensitive data before sending it to HookFeed. It is the customer's responsibility to prevent sensitive or regulated data from being stored in HookFeed.
Application Security
Authentication
HookFeed uses magic link authentication by default — no passwords to manage, leak, or brute-force. Each magic link is single-use, time-limited, and delivered to the verified email address on file.
Anonymous Sessions
HookFeed offers anonymous, session-based access for evaluating the product before signup. Anonymous sessions are stored temporarily in Redis, are rate-limited, and are automatically purged after 24 hours. No personal data is required for anonymous sessions.
Application Development Lifecycle
HookFeed practices continuous delivery. All code changes are committed, tested, shipped, and iterated on in a rapid sequence. A continuous delivery methodology, complemented by pull request review, continuous integration (CI), and automated error tracking, significantly decreases the likelihood of a security issue and improves the response time to and the effective eradication of bugs and vulnerabilities.
Data Flow
Data into System
Webhook payloads are sent securely to HookFeed via TLS to HTTPS endpoints. Upon receipt:
- The payload is validated (signature verification if configured).
- The event is matched against feed filter rules and routed to the appropriate feeds.
- Event data is stored in accordance with the customer's plan retention period.
Sensitive data is automatically scrubbed from application logs.
Data out of System
After events are processed, data can be accessed via the HookFeed user interface and configured alert/digest channels. HookFeed transmits alerts and digests to Slack and email as configured by the customer. All outbound data transmission uses TLS-encrypted connections.
AI Processing
When AI features are used (such as auto-configuration of dashboards or event analysis), portions of event data are transmitted to our AI service provider (Anthropic) via their API over TLS-encrypted connections. Anthropic processes this data under their commercial API terms, which prohibit the use of customer data for model training. AI processing is initiated only when the customer uses AI-powered features.
Data Security and Privacy
For how we handle personal data, see our Privacy Policy.
Data Encryption
HookFeed servers and databases are encrypted at the disk level. In the unlikely event of an intruder accessing a physical storage device, the data contained within would not be possible to decrypt without the proper keys.
Encryption at-rest also enables continuity measures like backup and infrastructure management without compromising data security and privacy.
HookFeed exclusively sends data over HTTPS transport layer security (TLS) encrypted connections for additional security as data transits to and from the application.
Databases have full-disk encryption, and sensitive configuration data within those databases (webhook secrets, API keys, etc.) is encrypted further at-rest.
Data Retention
Event data retention is determined by the customer's plan tier:
| Plan | Retention |
|---|---|
| Free | 30 days |
| Starter | 90 days |
| Pro | 1 year |
| Business | Unlimited |
When retention limits are reached, event data is permanently deleted. Customers may also request early deletion of specific events or entire data sources at any time.
Data Removal
All customer data stored on HookFeed servers is permanently deleted upon termination of service, with account deletions processed after a 24-hour waiting period to prevent accidental cancellation. Data can also be deleted upon request for specific data sources, feeds, or events.
Sensitive Data Guidance
We recommend that customers configure their webhook sources to exclude personally identifiable information (PII) and other sensitive data before sending it to HookFeed. If your webhook payloads contain sensitive fields (such as credit card tokens, social security numbers, or health information), you should exclude those fields at the source.
HookFeed is not designed to process or store data subject to PCI-DSS, HIPAA, or similar regulatory requirements unless a separate written agreement is in place. See our Terms of Service for more information.
Vulnerability Disclosure
Anyone can report a vulnerability or security concern with a HookFeed product by contacting security@hookfeed.com and including a proof of concept. We take all disclosures seriously, and upon receipt of a disclosure each vulnerability is verified before taking necessary steps to address it.
Infrastructure and Network Security
Physical Access Control
HookFeed is hosted on cloud infrastructure providers. Cloud data centers feature robust physical security models. HookFeed employees do not have physical access to data center servers, network equipment, or storage.
Logical Access Control
HookFeed is the assigned administrator of its infrastructure, and only designated authorized HookFeed operations team members have access to configure the infrastructure on an as-needed basis behind two-factor authentication. Passwords and keys are stored in a secure and encrypted location.
Network Protection
HookFeed uses Cloudflare for CDN, DDoS protection, and network security. All traffic passes through Cloudflare's network before reaching our application servers, providing an additional layer of protection against attacks.
Penetration Testing
HookFeed undergoes annual penetration testing conducted by an independent, third-party firm. No customer data is exposed to the firm through penetration testing. Information about any security vulnerabilities successfully exploited through penetration testing is used to set mitigation and remediation priorities. A summary of penetration test findings is available upon request to Business plan customers.
Business Continuity and Disaster Recovery
High Availability
Every part of the HookFeed service uses properly-provisioned, redundant servers (e.g., multiple web servers, replica databases) in the case of failure. As part of regular maintenance, servers are taken out of operation without impacting availability.
Business Continuity
HookFeed keeps regular encrypted backups of data. While never expected, in the case of production data loss (i.e., primary data stores lost), we will restore data from these backups.
Disaster Recovery
In the event of a region-wide outage, HookFeed will bring up a duplicate environment in a different region. The HookFeed engineering team documents and simulates extreme scenarios, practicing recovery workflows.
Webhook Resilience
If HookFeed experiences downtime, incoming webhooks sent during the outage may be lost if the sending service does not retry. Most webhook providers (such as Stripe, Shopify, and Kit) implement automatic retry logic for failed deliveries. HookFeed returns appropriate HTTP status codes to encourage provider-side retries. Customers should be aware that webhook delivery is inherently at-least-once and not guaranteed, and should not rely on HookFeed as the sole record of critical business events.
Corporate Security
Risk Management
All HookFeed product changes must go through code review, CI, and build pipeline to reach production servers. Only designated employees on the HookFeed engineering team have secure shell (SSH) access to production servers.
Testing and risk management is performed on all systems and applications on a regular, ongoing basis. HookFeed performs risk assessments throughout the product lifecycle, including before the integration of new system technologies, when making infrastructure changes, and periodically as part of technical and non-technical assessments.
Contingency Planning
The HookFeed operations team includes service continuity and threat remediation among its top priorities. We keep a contingency plan in case of unforeseen events, including risk management, disaster recovery, and customer communication sub-plans that are tested and updated on an ongoing basis.
Background Checks
HookFeed conducts background checks for new employees, including identity verification, global watchlist check, national criminal records check, and county criminal records check.
Security Training
New employees receive onboarding and systems training, including environment and permissions setup, formal software development training (if pertinent), and security policies review. Any change to policy affecting the product is communicated to the entire engineering team.
Compliance
GDPR
To ensure that personal data you send HookFeed is afforded the protections required by the GDPR, HookFeed offers a Data Processing Addendum that incorporates the Standard Contractual Clauses.
Our Data Processing Addendum is available online. Email legal@hookfeed.com for a signed copy.
CCPA
HookFeed's Data Processing Addendum provides assurances that: (1) HookFeed acts solely as a service provider (as that term is defined under the CCPA) on a customer's behalf, (2) HookFeed does not retain, use, or disclose personal data for any purpose other than the purposes described in the DPA, and (3) HookFeed does not "sell" personal data (within the meaning of the CCPA).
What HookFeed Is Not
HookFeed is not PCI-DSS certified, HIPAA compliant, or SOC 2 audited. If you require these certifications for your use case, please contact us to discuss your needs. Customers should not transmit data subject to these regulatory frameworks to HookFeed without a separate written agreement.