hall-monitor

Security

How hall-monitor handles your data and keeps it safe.

Data handling

  • hall-monitor processes webhook payloads from GitHub and events from Slack. It stores event metadata (PR titles, commit SHAs, deployment IDs, timestamps) to maintain thread state.
  • Source code is never read, stored, or transmitted. Webhook payloads contain metadata only — diffs and file contents are not included in the events hall-monitor receives.
  • No personal data is collected beyond what's present in webhook payloads (Git author names, GitHub usernames).
  • Data is stored in US East (Virginia). Event metadata is retained for the duration of an active subscription and purged within 30 days of account cancellation or deletion.

Authentication and access

  • GitHub webhooks are validated using HMAC-SHA256 with a per-installation secret. Invalid or missing signatures are rejected immediately.
  • Slack events are verified using Slack's signing secret. The bot uses the minimum required OAuth scopes: chat:write, channels:read, groups:read, users:read, reactions:read, and commands.
  • API keys are scoped per workspace and can be rotated from the dashboard at any time.
  • Production database and infrastructure access is restricted to authenticated operators via encrypted channels. Access is reviewed periodically.

Infrastructure

  • Each workspace's data is logically separated at the database level via tenant isolation.
  • All data in transit is encrypted via TLS 1.2+.
  • All data at rest is encrypted using AES-256. Fly.io Postgres and Upstash Redis both encrypt stored data by default.
  • Server and database are hosted on Fly.io in the US East (iad) region.

Subprocessors

  • GitHub — source of webhook events. SOC 2 Type II certified.
  • Slack — destination for notifications. SOC 2 Type II certified.
  • Fly.io — server and database hosting (US East). SOC 2 Type II certified.
  • Upstash — Redis queue for job processing. SOC 2 Type II certified.
  • Vercel — website and dashboard hosting. SOC 2 Type II certified.

Compliance

  • Annual penetration testing by a named third-party security firm is planned for Q3 2026. Results are available to enterprise customers under NDA on request.
  • SOC 2 Type II certification is on our roadmap for 2026–2027.
  • A Data Processing Agreement (DPA) is available for enterprise customers. Contact to request one.
  • GDPR: hall-monitor acts as a data processor for webhook metadata. Data processing commitments are available via DPA.

Vulnerability reporting

  • Responsible disclosure: security issues can be reported to . We aim to acknowledge reports within 48 hours and provide a remediation timeline for confirmed vulnerabilities.

Questions about security?

Reach out for details on our security posture, to request a DPA, or discuss enterprise requirements.

Contact security team