Trust Center
How we protect your mission data — infrastructure, access controls, compliance, and responsible disclosure.
Enterprise-grade protection
Encryption
All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Database connections use SSL. Backups are encrypted.
Request Hardening
Every API route is auth-gated with RBAC capability checks and response-schema validation, behind per-route rate limiting, an IP allow-list, and strict security headers (HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy).
Authentication
Secure password hashing (bcrypt), optional TOTP two-factor authentication, SSO via Google and Microsoft, and session management.
Access Controls
12 mission-level roles with a granular capability matrix. Portal-level RBAC ensures users only see and edit data they are authorized for.
Audit Logging
Append-only event log of all user and mission actions, user-attributed. Filterable by event type, user, mission, and organization. CSV export for compliance.
Password Hygiene
Passwords are hashed with bcrypt and held to strong-complexity requirements. Leaked-password protection against known-breach corpora is supported by our identity provider (Supabase Auth).
Standards we follow
SOC 2 Readiness — Not Yet Certified
Controls are implemented and mapped against the SOC 2 Trust Services Criteria (Security, Availability, Confidentiality). We have not yet engaged a Type II audit and are not certified. Interim control documentation is available under NDA.
GDPR
Full data export, right to deletion, data processing agreements, and EU-compatible data handling practices.
ITAR Awareness
Platform supports classification tagging and access controls for ITAR-sensitive mission data. Customers are responsible for ITAR compliance.
NIST 800-171
Security controls mapped to NIST 800-171 requirements for protecting Controlled Unclassified Information (CUI).
How we handle your data
Data Ownership
You retain full ownership of all mission data you create or upload. We never access, sell, or share your engineering data.
Data Isolation
Mission data is isolated per organization. Row-level security policies ensure users can only access data belonging to their team.
Data Export
Export all mission data at any time in structured JSON or PDF format. Enterprise plans include full GDPR data exports.
Data Deletion
When you delete your account, all personal data is removed within 30 days. Mission data can be exported before deletion.
Backup & Recovery
Automated daily backups with point-in-time recovery. Backups are encrypted and stored in geographically separate regions.
Data Classification
Tag mission parameters and documents with classification levels (Unclassified, CUI, ITAR, EAR) for access control enforcement.
Where your data lives
ITAR & CUI Support
Mission engineering teams frequently handle International Traffic in Arms Regulations (ITAR) and Controlled Unclassified Information (CUI) data. Hitt Hosting SE provides the infrastructure and access controls these programs require. The customer is ultimately responsible for ITAR compliance within their organization.
US-Only Hosting
Cloud deployment runs exclusively on US-based infrastructure. Self-hosted deployment runs entirely on your own servers with no external network calls.
Classification Tagging
Tag requirements, documents, and mission parameters with classification levels: Unclassified, CUI, ITAR, and EAR. Tags enforce access control policies automatically.
Foreign Person Access Control
Mission-level role assignments allow you to restrict access to US Persons only. Administrators control who can view or edit ITAR-marked data.
Audit Trail for Compliance
Every access, edit, and export is logged with timestamp, user identity, and IP address. Export audit logs in CSV for compliance reviews and investigations.
Controlled Export
PDF and CSV exports include classification markings and handling caveats. Export actions are logged and can be restricted by role.
CUI Marking Support
Apply CUI category markings (CUI//SP-EXPT, CUI//SP-CTI, etc.) to mission data. Markings flow through to all generated deliverables and exports.
Air-Gap Architecture
For programs that require complete network isolation, Hitt Hosting SE supports a fully self-hosted deployment with zero external dependencies. No CDN calls, no analytics beacons, no third-party fonts. The entire application runs on your infrastructure.
Zero External Calls
No analytics, no CDN fonts, no telemetry, no license phone-home. The application operates identically whether connected to the internet or completely isolated.
Docker Compose Deployment
Deploy the entire stack with a single docker compose command. Pre-built images include all dependencies. Air-gap installations receive updates via signed archive files transferred through approved media.
Local Authentication
Self-hosted Supabase Auth handles all authentication locally. No dependency on external identity providers. Optional SSO integration for environments that maintain an internal IdP.
Offline Engineering Calculators
All 50+ engineering calculators run client-side with no server round-trips. Orbit analysis, link budgets, and mass calculations work identically in air-gapped environments.
Responsible Disclosure
If you discover a security vulnerability in Hitt Hosting SE, please report it responsibly. We appreciate your help keeping our users safe.
Please do not publicly disclose the issue until we have had a reasonable opportunity to address it. We aim to acknowledge reports within 48 hours and provide a resolution timeline within 5 business days.
Need a security review?
We are happy to walk through our security posture with your ISSM, ISSO, or compliance team. No sales pitch required.