Will you tell my regulator, insurer, or the press?

No. Nothing leaves this channel without your explicit consent. We don't notify regulators, file insurance claims, or speak to media on your behalf.

Are you law enforcement?

No. We are a private incident-response practice. We don't share details with law enforcement unless you instruct us to.

How much does this cost?

Triage is free. After we understand the situation, we quote a fixed scope. Most engagements are completed for a single defined fee, paid on completion.

What should I do right now, before opening the channel?

Don't power off affected machines, don't wipe or reinstall, don't reply to the attacker, don't change passwords company-wide yet. Open the channel first; we'll guide the next 30 minutes.

How fast do you respond?

Median first response is under 5 minutes during active hours. If we're momentarily offline, an alert reaches a responder's phone immediately.

Legal · 04

Confidentiality Policy

Last updated · 30 May 2026

Confidentiality is not a feature of the Hackastra service — it is the service. Hackastra Infosec FZ-LLC ("Hackastra", "we") operates on the expectation that clients reach us with problems they cannot make public. This Confidentiality Policy sets out, in plain language, how we protect client information and incident details from the moment a channel is opened.

1. Our commitment

We treat the existence of an engagement, your identity, the content of your channel, technical findings, deliverables, and all related information as strictly confidential. We do not name clients in marketing. We do not publish case studies that identify clients. We do not discuss live or past engagements with third parties without express written consent.

2. Scope

This policy applies to all:

Messages exchanged through the chat channel and any successor channels.
Engagement letters, scope documents, invoices, and correspondence.
Forensic artefacts, logs, indicators, screenshots, and other technical material received from you.
Hackastra deliverables (findings reports, remediation plans, advisories) prepared for you.

3. Staff & contractor obligations (NDAs)

Every member of the Hackastra response team — employees and approved contractors — signs a written confidentiality and non-disclosure agreement (NDA) as a condition of access.
Access to client information is granted on a strict need-to-know basis. Each engagement has a named lead responder and a minimal supporting team.
Access permissions are reviewed periodically and revoked immediately on a team member leaving the engagement or the company.
Confidentiality obligations on our team survive termination of employment or engagement indefinitely.

4. Data handling

All traffic to and from hackastra.com is encrypted in transit using HTTPS / TLS.
Operator credentials are stored only as one-way bcrypt hashes. Operator sessions use short-lived signed tokens.
Engagement data is segregated per engagement so that one client's data cannot be observed by another client's response team.
Storage media and backups are encrypted at rest.
On request, we will move sensitive material to an out-of-band, end-to-end encrypted channel within minutes.

5. Vendors & subcontractors

We use a small number of vetted infrastructure vendors (for example, hosting, email delivery, and database providers) strictly to operate the service. Those vendors are bound by written confidentiality terms equivalent in substance to this policy. Where an engagement requires specialist subcontractors (for example, a forensic data-recovery partner), they are engaged only with your prior written consent and under a back-to-back NDA.

6. Disclosure exceptions

Hackastra will not voluntarily disclose your information. We may disclose where (a) you have given us prior written consent, or (b) we are compelled by a valid order of a competent UAE court or authority. Where lawfully permitted, we will notify you before disclosure so that you may take protective measures, including seeking a protective order.

7. Marketing & references

We do not use client engagements as marketing material by default. If you wish to serve as a reference or co-author a redacted case study, that decision is yours, in writing, after the engagement closes.

8. Post-engagement

At the close of an engagement, we will, on request: (a) return or destroy forensic artefacts and other client-supplied material that we no longer need to hold; (b) purge channel transcripts; and (c) retain only the minimum records required by UAE law. Some retention is required by law and cannot be waived.

9. Breach response

If Hackastra becomes aware of a confidentiality or personal-data breach materially affecting you, we will notify you and, where required, the competent UAE authority, in line with our obligations under UAE Federal Decree-Law No. 45 of 2021 and any other applicable laws.

10. Contact

Questions about this Policy or to file a confidentiality concern: legal@hackastra.com.