Trust and security
Trust & Security
HatchCheck is designed for upload-light app launch evidence, private-by-default artifacts, local-only credential options, and conservative trust boundaries.
Version: 0.1-draft
Effective date: 2026-05-04
Last updated: 2026-05-04
Draft for legal review. HatchCheck should not claim SOC 2, HIPAA, ISO, or similar certification unless actually completed.
Useful Materials
- Screenshots.
- Store listing drafts.
- Privacy policy text.
- SDK lists.
- Selected config files.
- App Store/Google Play form screenshots.
Do Not Upload
- Private keys, certificates, signing credentials, production .env files, customer data, production secrets, and real demo passwords.
- App builds or binaries unless a later workflow explicitly supports them.
- Provider tokens, service account keys, raw production logs, or unnecessary full repositories.
Credential Handling
You can keep demo credentials local and paste them into review notes later. HatchCheck does not need to store demo credentials to generate most findings.
Storage, Access, Retention, and Audit
- Uploads should be private by default and accessed through authorized routes or signed URLs where implemented.
- Deletion controls and retention periods are documented, with manual support fallback while automation matures.
- Admin access should be restricted to authorized operational needs.
- Sensitive file access should be audited where implemented.
Training, Incidents, and Links
- HatchCheck does not train HatchCheck models on customer content without explicit consent.
- Security contact: [SECURITY_EMAIL].
- Related pages: /privacy, /dpa, /subprocessors, /terms, /acceptable-use.