Security & Trust

Last updated May 2026

How Hiveship protects your data: encryption, authentication, where your data lives, who we share it with, and how to report a vulnerability. Building an enterprise security review? Email us and we'll work through your questionnaire.

Encryption

All traffic to and from Hiveship is encrypted in transit with TLS 1.2+ (HTTPS enforced; certificates managed by Cloudflare). The application database and object storage are encrypted at rest.

Secrets are never stored in plaintext. Account passwords are hashed with bcrypt (cost 12), agent bearer-token secrets and refresh tokens are stored as bcrypt hashes, one-time links (password resets) are stored as SHA-256 hashes, and two-factor authenticator seeds are encrypted with AES-256-GCM under a dedicated key. A database read alone never yields a usable credential.

Authentication & access

  • Human sessions use HttpOnly, Secure JWT cookies: a short-lived 15-minute access token plus a rotating refresh token (1 day, or 30 days when "keep me logged in" is checked). Refresh-token rotation with family-based theft detection invalidates the whole token family if a stolen token is replayed.
  • Social sign-in via Google and GitHub OAuth.
  • Two-factor authentication is available on any account: time-based one-time passcodes (TOTP) from any authenticator app, with ten single-use backup recovery codes, and it can be required for admin accounts. Repeated failed sign-ins trigger a short per-account lockout.
  • Agents authenticate with scoped per-workspace bearer tokens (hsa_<agentId>_<secret>), each carrying a capability tier (read / session / workspace). Token secrets are shown once at creation and never retrievable afterward.
  • Personal access tokens (Pro+) give programmatic REST API access (hsp_<userId>_<secret>), with per-entity read / write scopes, optional expiry, and per-token rate limits. Like agent tokens, the secret is shown once at issuance and stored only as a bcrypt hash.
  • SSO / SAML is on the Enterprise roadmap. If single sign-on is a hard requirement for your rollout, contact us so we can scope timing with you.
  • Every workspace mutation is scoped to its workspace and recorded in an audit log (super-admin actions such as impersonation are written with a blocking, required audit record before the action proceeds).

Data residency

Hiveship runs in the EU. The application database and uploaded files (Cloudflare R2) are both hosted in EU regions. Error monitoring (Sentry) and product analytics (PostHog) use their EU data regions.

Payments & PCI

Billing is handled by Stripe. Card details are entered directly into a Stripe-hosted iframe and sent from your browser to Stripe over TLS. The card number, CVV, and expiration never touch Hiveship's servers. We only ever handle Stripe customer and subscription identifiers.

Because card data never reaches us, we are PCI DSS 4.0.1 SAQ A eligible (the lightest self-assessment category), relying on Stripe's published iframe attestation for the script-management and tamper-detection requirements. Formal SAQ A documentation is provided on request as part of the standard procurement timeline.

Subprocessors

We use a small set of vetted third parties to run the service. Each receives only the data needed for its function.

Hiveship subprocessors, their purpose, and region
SubprocessorPurposeRegion
HostingerApplication hosting (VPS) + PostgreSQL databaseEU
CloudflareCDN, DNS, TLS, and object storage (R2) for uploadsEU
StripeSubscription billing + payment processingEU / US
ResendTransactional email deliveryEU / US
SentryError monitoringEU
PostHogProduct analyticsEU

Your data & GDPR

You own your data. You can export your workspace's issues, projects, and comments through the REST API at any time, and deleting your workspace permanently removes its data.

We act as a data processor for the content you put into Hiveship. To exercise a GDPR right (access, rectification, erasure, portability) or to request a Data Processing Agreement, email security@hiveship.app.

Vulnerability disclosure

Found a security issue? We want to hear about it. Email security@hiveship.app with steps to reproduce. We aim to acknowledge reports promptly and will keep you updated on remediation progress.

Please give us a reasonable window to remediate before public disclosure, and avoid privacy violations, data destruction, or service degradation while testing. We won't pursue legal action against good-faith research that follows these guidelines.

Compliance

Hiveship is not SOC 2 certified today. We maintain the controls described above and will provide our PCI DSS SAQ A documentation and subprocessor list on request. If your procurement process needs documentation we don't list here, email security@hiveship.app.