Hooktopus

Security

Built for production data, not toy traffic.

Hooktopus runs entirely on Cloudflare's platform with a small, well-bounded blast radius and credential handling that's intentionally boring. Here's exactly what we do.

Data

Where your data lives.

Your BigQuery is the source of truth

Every event is written to your BigQuery dataset under your GCP project. We never see the data after write. Replays read from your R2 archive and write to your BQ — we hold the keys but not the rows.

R2 archive, configurable retention

We keep canonical event JSONs in Cloudflare R2 for 30 days by default. Configurable to 1d / 7d / 30d / 90d / never. GDPR right-to-erasure deletes prefix-by-workspace in seconds.

No cross-tenant blob co-mingling

R2 paths are prefixed with <workspace_id>/... so per-tenant export and deletion are first-class. There is no global event store.

Encryption at rest

BQ service account JSONs are encrypted with AES-256-GCM, key per workspace, held in Cloudflare KV. Root key is rotated quarterly. Plaintext credentials never touch D1 or logs.

Access

Who can do what.

Clerk-backed auth

Sign in with Google, magic link, or passkey. Multi-factor available. Sessions backed by Clerk with their detection for suspicious logins. We never store passwords.

Per-workspace roles

Owner / Admin / Member / Viewer. Workspace-scoped — no global admin role. All sensitive operations (delete workspace, rotate keys, add destination) require Admin+.

Audit log (Pro+)

Every state-changing API call is recorded with user, IP, before/after diff, and timestamp. Exportable to BigQuery on request.

IP allowlist (Pro+)

Restrict ingress per endpoint to a list of CIDRs. Useful when your source publishes a documented egress range (Stripe, GitHub, HubSpot all do).

Compliance

Where we stand today.

SOC 2 Type II

In progress

Targeting Q1 2027 audit.

GDPR

Yes

DPA available on request.

CCPA

Yes

Right-to-delete handled per-workspace.

HIPAA

Not yet

BAAs not signed. Don't send PHI.

Need our security questionnaire or DPA? Email security@hooktopus.io.

Have a specific question?

We'll answer it specifically.

No security-theater answers, no marketing-speak. Email us and you'll get a real engineer.

Email security