Security — Hesett Pro

Overview

Hesett Pro operates a payment, ordering, reservation, and analytics platform live across 18,000+ tables in Colombia. Security is built into every layer — code, infrastructure, processes, people. This page summarizes the most important controls; for deeper diligence (SOC 2 report under NDA, penetration-test summary, DPA, sub-processor list) write to support@hesett.com.

One-line summary: All traffic is TLS 1.3, all card data goes to Stripe and never to us, all stored data is encrypted at rest with AES-256, all employee access is gated by SSO + hardware keys, and every production change runs through code review + automated tests.

Data in transit

Every connection to Hesett endpoints uses TLS 1.2 or higher, TLS 1.3 by default. HSTS with a 12-month max-age, submitted to the HSTS preload list. A+ on SSL Labs.

Data at rest

Databases (Postgres, Firestore) — AES-256, keys via Google Cloud KMS.
Object storage — AES-256 server-side encryption.
Backups — encrypted with separate keys, retained 30 days, geographically replicated, restore-tested monthly.
Mobile / staff devices — sensitive local data stored in the platform's secure enclave (iOS Keychain, Android Keystore).

Payments — PCI

Card data never touches Hesett servers. Card capture is performed by Stripe Elements directly in the browser or app and sent to Stripe (PCI-DSS Level 1 certified). Hesett operates as a Stripe Connect platform and qualifies for SAQ A — the simplest PCI scope — because we never store, process, or transmit cardholder data.

Authentication

Partner staff sign in with SSO (Google Workspace, Microsoft Entra) where available, otherwise email + password with bcrypt hashes (work factor 12) and optional 2FA.
2FA is enforced for Owner and Manager roles, and any account with payout authority.
API access uses short-lived signed tokens with monthly key rotation.

Infrastructure

Google Cloud Platform (São Paulo + Iowa) — managed services only.
Cloudflare in front of every public endpoint (DDoS, WAF, bot management, rate limiting).
Container images built from minimal bases, signed, CVE-scanned on every build.
Infrastructure as Code, reviewed like application code.
Production deploys require two-person review and a one-click rollback.

Internal access

Employees sign in with SSO + hardware security key (YubiKey or platform passkey).
Most engineers have zero standing access to production. Access is requested just-in-time, time-bound, and logged.
All production access is reviewed quarterly.

Monitoring

Continuous monitoring across application, infrastructure, and security signals — error rates, latency, anomalous sign-ins, payment-flow integrity. Alerts route to a 24/7 on-call rotation. Audit logs retained 12 months.

Incident response

Documented runbook with severities, response times, and decision-makers. In the event of a confirmed personal-data breach, we notify affected Partners and the relevant authorities (US state AGs, Colombian SIC, EU DPAs) within the deadlines set by each applicable law — 72 hours under GDPR and Law 1581; faster where US state statutes require.

Responsible disclosure

Report vulnerabilities to security@hesett.com. We commit to:

Acknowledge within 48 hours.
Triage and reproduce within 5 business days.
Patch critical vulnerabilities within 30 days.
Credit the reporter (with permission) in our security hall of fame.
Not pursue legal action against good-faith researchers who follow the rules below.

Please do not exploit beyond proof of concept, access other Partners' data, or perform denial-of-service attacks.

Compliance

US privacy laws — CCPA/CPRA, Virginia VCDPA, Colorado CPA honored where applicable.
GDPR — DPO appointed, DPA available, SCCs in place.
Colombia Law 1581 — registered with the SIC, processor agreements documented.
PCI-DSS SAQ A via Stripe Connect.
SOC 2 Type II — audit in progress; report available under NDA.

Contact

Security reports: security@hesett.com
General security questions: support@hesett.com
PGP key for sensitive reports: available on request.