Security

Hosting and data residency

• Application: Vercel (serverless, global edge network). Production traffic routes via TLS-terminated edge nodes; functions execute in isolated, ephemeral sandboxes.
• Application data: Google Firestore (Firebase). Account records, jobs, and report metadata are stored here.
• Video and footage: Google Cloud Storage with object-level access controls. Uploaded footage is processed for analysis and retained only as needed for your account and audit trail.
• AI inference: Google Gemini via Vertex AI. Inference is request-scoped; prompts and outputs are not used by Google to train foundation models when accessed via Vertex AI per Google’s data-governance terms.
• Region: EU regions (europe-west) preferred for storage where applicable. Specific residency requirements (e.g., flag-state restrictions) can be discussed during onboarding.

Encryption

• In transit: TLS 1.2+ for all customer traffic. HTTPS enforced on every public route; HSTS enabled on the production domain.
• At rest: AES-256 (Google Cloud default) for Firestore documents and Cloud Storage objects. Keys are managed by Google Cloud KMS.
• Secrets: API keys and credentials stored in Vercel encrypted environment variables, never in source control. Stripe webhook signatures are verified on every event.

Authentication and access control

• Customer authentication: Firebase Authentication (email/password and Google sign-in).
• Authorization: Customer data is scoped to the authenticated account. Firestore security rules enforce isolation server-side; admin endpoints are password-gated.
• Internal access: Production access is limited to the founder; access to customer data is on a least-privilege basis and logged.
• Payments: Card data is never stored on Hullproof systems. Stripe handles all payment information; we receive only tokenised references and metadata. PCI DSS scope is reduced accordingly.

Application security

• Dependencies: Continuous integration runs on every pull request: typecheck, lint, and an integration test suite that exercises the analysis-to-PDF pipeline. Hard-fail gating on test regressions.
• Monitoring: Application errors instrumented via Sentry. Production deployment and traffic logs available via Vercel.
• Audit trail: Each analysis records input fingerprint, model version, prompt version, and timestamp — verifiable for compliance.
• Secure development: Source on GitHub with branch protection on main; deploys are triggered only from reviewed merges.

Subprocessors

We use the following services to deliver Hullproof. Each is enterprise-grade and bound by their own data-protection commitments:

Data handling

• We do not use your footage, images, or documents to train our AI.
• We do not sell or share your data for advertising.
• We process your data only for your analysis and your report.
• You can request export or deletion of your account data at any time via the contact page.

See also the Data & AI page for the full statement on AI training and the Privacy policy for legal terms.

Compliance posture

We are honest about where we are. Hullproof is an early-stage product built by a small team — formal certifications take time and we will not claim what we have not earned.

• GDPR: Designed with GDPR principles — data minimisation, purpose limitation, customer-controlled deletion. EU-resident infrastructure available for EU customers.
• SOC 2: On the roadmap. We will pursue SOC 2 Type II once the customer base warrants it. Most underlying subprocessors (Vercel, Google Cloud, Stripe, Sentry) are SOC 2 Type II certified today.
• PCI DSS: Out of scope for direct compliance — Stripe handles all card data.
• Class society alignment: Our methodology is aligned with IACS UR Z3/Z7/Z23 and MEPC.378(80) for biofouling. See Methodology for the full coverage map.

Incident response

If you suspect a security incident affecting your data, contact us immediately via the contact form marked “Security”. We commit to acknowledging within 24 hours and providing a status update within 72 hours.