Security is not an afterthought.

Security at Hostl is a continuous practice, not a checklist. We design our systems with security as a first-class requirement, review our practices regularly, and respond quickly when issues arise. This page describes our current security posture in plain language.

If you are a security researcher and have found a vulnerability, please skip to the Responsible Disclosure section.

In transit

All communication between your browser or device and our servers is encrypted using TLS 1.3. We enforce HTTPS on all endpoints and use HTTP Strict Transport Security (HSTS) to prevent downgrade attacks. Connections using TLS 1.0 or 1.1 are rejected.

At rest

All data stored on our servers is encrypted at rest using AES-256. This includes your account information, message content, and any files or attachments. Encryption keys are managed separately from the data they protect and are rotated on a regular schedule.

Message content

Messages are stored encrypted and are only decrypted to deliver them to the intended recipient. We do not read your message content for advertising, training, or any purpose other than delivering the Services.

We apply the principle of least privilege throughout our systems. This means:

• Every team member has access only to the systems and data they need to do their job.
• Access to production systems requires multi-factor authentication.
• All access to production data is logged and audited.
• Access rights are reviewed quarterly and revoked immediately when a team member leaves.
• No single person can access production data without a second person being aware.
• Database access from application code uses read-only credentials where possible.

Our infrastructure is hosted on enterprise-grade cloud providers with SOC 2 Type II and ISO 27001 certifications. We use the following practices:

• Network segmentation: production, staging, and development environments are fully isolated.
• Firewall rules: all inbound traffic is restricted to necessary ports and protocols.
• DDoS protection: we use network-level DDoS mitigation on all public endpoints.
• Automated backups: data is backed up daily with point-in-time recovery available.
• Backup encryption: all backups are encrypted using the same standards as production data.
• Geographic redundancy: critical data is replicated across multiple availability zones.

We take account security seriously. Our authentication system includes:

• Passwords are hashed using bcrypt with a high work factor. We never store plain-text passwords.
• Password reset links are single-use and expire after 1 hour.
• We detect and block credential stuffing attacks using rate limiting and anomaly detection.
• Suspicious login attempts trigger email notifications to the account holder.
• Session tokens are rotated on each login and invalidated on logout.
• We support secure session management with configurable session expiry.

We recommend using a strong, unique password for your Hostl account and enabling any additional security features available in your account settings.

Our badge verification system is designed to make trust visible. Each badge type has a defined verification process:

• Personal badge: identity verification against government-issued ID.
• Company badge: verification against business registration records.
• Government badge: verification through official government channels. Most strictly reviewed.
• Service badge: review of the service's purpose, ownership, and security practices.
• Commerce badge: verification of merchant registration and business legitimacy.

Badges are reviewed by our team before issuance. We reserve the right to revoke any badge if we determine the account no longer meets our standards or has violated our Terms of Service.

Attempting to obtain a badge through false information is a serious violation and will result in permanent account termination and may be reported to relevant authorities.

We monitor our systems continuously for security events, anomalies, and potential threats. Our monitoring covers:

• Real-time alerting on unusual access patterns or authentication failures.
• Automated detection of potential account compromise.
• Infrastructure health monitoring with automated failover.
• Log aggregation and analysis for security events.

Incident response

We maintain a documented incident response plan. In the event of a security incident that affects your data, we will notify affected users within 72 hours of becoming aware of the breach, in accordance with applicable data protection laws. Notifications will include the nature of the incident, what data was affected, and what steps we are taking.

We conduct regular security reviews as part of our development process:

• Code review: all code changes are reviewed by at least one other engineer before deployment.
• Dependency scanning: we scan our dependencies for known vulnerabilities on every build.
• Penetration testing: we conduct penetration tests before major releases and at least annually.
• Security review: new features that handle sensitive data undergo a dedicated security review.
• Third-party audits: we engage external security firms for independent assessments.

Security and privacy are inseparable at Hostl. Our engineering practices include:

• Data minimization: we collect only the data we need to provide the Services.
• Purpose limitation: data collected for one purpose is not used for another without your consent.
• No advertising tracking: we do not use advertising pixels, tracking scripts, or behavioral profiling.
• No AI training: your message content is never used to train machine learning models.
• Right to deletion: you can delete your account and all associated data at any time.

We welcome reports from security researchers. If you have discovered a vulnerability in our systems, please report it to us responsibly.

How to report

Send your report to security@hostl.cloud. Please include:

• A clear description of the vulnerability.
• Steps to reproduce the issue.
• The potential impact of the vulnerability.
• Your contact information (optional, but helpful for follow-up).

Our commitments to you

• We will acknowledge your report within 48 hours.
• We will keep you informed of our progress as we investigate and fix the issue.
• We will not take legal action against researchers who report vulnerabilities in good faith.
• We will credit you in our acknowledgments if you wish, once the issue is resolved.

Scope

In scope: hostl.cloud, app.hostl.cloud, message.hostl.cloud, and any Hostl-owned infrastructure. Out of scope: social engineering attacks, physical attacks, denial of service attacks, and vulnerabilities in third-party services we use.

Please do not access, modify, or delete data belonging to other users. Test only against accounts you own.

For security vulnerability reports: security@hostl.cloud

For general privacy questions: privacy@hostl.cloud

For legal inquiries: legal@hostl.cloud