New ABN and GST lookups are live alongside PPSR. Read docs
Hoist AIAssets
Sign in / Sign up
HomeTrustSecurity

Security.

How Hoist protects records, approves connected access, logs searches, handles incidents, and reports its certification status.

Last updated 2026-06-05

Data protection

  • In transit: Data sent to Hoist uses HTTPS. Public service hosts enforce modern browser security settings.
  • At rest: Stored records and logs are encrypted.
  • Least data: We keep the data needed to run searches, support accounts, prove records, and meet legal obligations. We do not store card numbers or sign-in secrets.
  • Customer key controls: Higher-volume accounts can discuss customer-specific controls for record PDFs.

Sign-in and connected access

  • Account pages use hosted sign-in with common sign-in options such as email, password, and passkeys.
  • Connected AI tools and automated workflows must be approved before they can use an account.
  • Account users can review connected access and disconnect tools from the account surface.

Controls and limits

The Hoist Connector lets approved AI agents, assistants, business applications, and automated workflows run checks. The same safety rules apply regardless of how Hoist is called.

  • Human-approved connected access. The human user approves connected-tool access before it can be used. The tool cannot widen that access later.
  • Separate human and connected-tool paths. Human users sign in through the dashboard. Connected tools use their own approval path. Connected-tool access cannot be reused as dashboard sign-in, and dashboard sign-in cannot be reused as connected-tool approval.
  • Org-only guard at the boundary. Hoist rejects individual-grantor requests before any search is sent to a register or partner. There is no connected-tool access or support flag that bypasses it.
  • No silent spend. Paid searches require a price-confirmation step. A connected tool cannot initiate a billable PPSR or ABN search unless the human-approved access includes that action.
  • No support bypass. Support cannot turn on person searches or bypass price confirmation.

Logs and customer evidence

Search activity is recorded with the account, approved access, search type, time, outcome, and record reference. Logs do not store sign-in secrets, prompts, card numbers, or unrelated account data. Customers can use Evidence Packs and account activity to review what happened.

This public summary is enough for first-pass procurement review. Detailed security evidence is available on request.

Testing and reviews

Connected-tool access is in scope for third-party penetration tests and security reviews alongside the rest of the service. We do not treat AI-agent access as a side channel.

Annual third-party penetration test. Last test: 2025-09 (pre-launch); next scheduled 2026-09. Executive summary available on request under NDA.

Certifications - honest status

  • SOC 2: Not certified today.
  • ISO 27001: Not certified today.
  • PCI-DSS: Out of scope - Stripe is merchant of record and holds card data.
  • IRAP / Australian Government: Not yet. Talk to us if you need this.

We will not display a fake "SOC 2 in progress" badge before it's real. When something changes, it appears in /changelog.

Disclosure and support

Report security issues through the current contact route at /contact/. Do not send secrets through the public intake until an operator-supplied PGP key is published in /.well-known/security.txt. We acknowledge within 24 hours, fix critical issues within 7 days, and disclose publicly within 30 days of fix.

For billing, account access, setup help, or questions about a record, use /contact/ and mark it as support.

Bug bounty

We pay A$50 to A$2,500 for valid security reports depending on severity. Email us first.

Incidents

None publicly reported. If we have one, it gets a status-page entry, an email to affected customers within 72 hours, and a post-mortem at /blog.