Responsible Disclosure.

Hael takes the security of its platform and the data it processes seriously. We welcome security researchers and customers reporting vulnerabilities to us privately, so we can fix them before they cause harm.

How to report

Email security@hael.ai (placeholder — to be replaced with the production address before launch). Include a clear description of the issue, steps to reproduce, the affected URL or component, and any proof-of-concept material. We acknowledge reports within one business day.

Scope

The following are in scope for responsible disclosure:

• The Hael web application at app.hael.ai (placeholder).
• Hael marketing properties at www.hael.ai (placeholder).
• Hael's public API endpoints.

The following are out of scope:

• Findings from automated scanners without a clear, reproducible impact.
• Social engineering of Hael employees, contractors, or customers.
• Physical attacks against Hael facilities.
• Denial-of-service attacks or testing that degrades service for other users.
• Findings against third-party subprocessors — please report those directly to the vendor.

Safe harbour

We will not pursue legal action against researchers who, in good faith, comply with this policy: report privately, avoid privacy violations and destruction of data, do not degrade our service, and give us a reasonable window to remediate before any public disclosure (typically 90 days, by mutual agreement).

Coordinated disclosure

We work with reporters to coordinate disclosure timelines. We credit researchers in our security advisories where they wish to be credited.

What we don't offer

Hael does not currently operate a paid bug bounty programme. We may introduce one in future; for now, recognition and coordinated disclosure are how we acknowledge reports.

Contact

Security reports: security@hael.ai (placeholder address).

General security questions: see the live Trust Center or contact us via the contact page.