// Trust & Security Report
Hoppscotch Limited
Open-source API development ecosystem (Community, Cloud, Enterprise editions). Provides REST client, collections, environments, scripting, and team collaboration for API development; available as web app, desktop, and CLI.
Certifications held
0
Maturity
Growth
Trains on your data
Yes
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 9 unconfirmed / not-held certifications
source: docs.hoppscotch.ioNo mention in security policy or public documentation
source: docs.hoppscotch.ioNo mention in security policy or public documentation
source: docs.hoppscotch.ioNo mention in security policy or public documentation
source: docs.hoppscotch.ioNo mention in security policy or public documentation
source: docs.hoppscotch.ioNo mention in security policy or public documentation
source: docs.hoppscotch.ioNo explicit GDPR compliance statement. Privacy policy does not address GDPR mechanisms, data processing agreements, or specific data region commitments
source: docs.hoppscotch.ioNo mention in privacy policy, terms of service, or security documentation
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Not offered
Data region
Unspecified
Privacy policy states: 'We partner with OpenAI, the creators of GPT-4o mini, to offer you enhanced API development and testing capabilities' and 'In doing so, we may share the user-generated information you include in your prompts and APIs to generate content and provide enhanced AI capabilities.' OpenAI may then use that data per its own privacy policy. No opt-out mechanism documented.
// Security controls
Encryption in Transit
AES-256-GCM with X25519 key exchange for Agent communication; standard HTTPS for web platform
docs.hoppscotch.ioEncryption at Rest
Self-hosted deployments rely on customer database encryption. Cloud offering does not publicly specify.
docs.hoppscotch.ioScript Sandboxing
Pre- and post-request scripts run in QuickJS WebAssembly sandbox, isolated from browser context
docs.hoppscotch.ioData Integrity
Ed25519 signatures and per-file BLAKE3 integrity hashes for verifying remote bundles
docs.hoppscotch.ioRate Limiting & DDoS Protection
Request rate limiting and query complexity limits on GraphQL API for self-hosted deployments
docs.hoppscotch.ioData Residency Control
Full control via self-hosted Community/Enterprise Edition; Cloud Edition location unspecified
docs.hoppscotch.io// Products & data scope
data: Hosted by vendor; data processing location unspecified
Commercial cloud offering with unlimited collections and all features. Data shared with OpenAI for AI-enhanced capabilities. No explicit regional guarantees.
data: Customer-controlled infrastructure
Commercial self-hosted offering with SAML/OIDC SSO, audit logs, and on-premise deployment. Customer responsible for database encryption and backup security. Requires commercial license.
data: Customer-controlled if self-hosted; MIT licensed
Free, open-source edition (MIT License). Can be used for personal and commercial projects. Can be self-hosted for full data control.
// What to watch
- No formal security certifications (SOC 2, ISO 27001) despite commercial Cloud and Enterprise offerings
- Cloud product explicitly shares user-generated data and API content with OpenAI (per privacy policy); no opt-out documented
- No GDPR-specific language, commitment, or DPA despite being SAAS cloud product handling potentially sensitive API data
- No HIPAA compliance or BAA despite API platform potentially handling healthcare/regulated data
- Privacy policy states data may be transferred 'to locations where privacy laws may not be as protective' without specifying regions
- Enterprise Edition offers SAML/OIDC/audit logs but security policy makes no mention of compliance certifications for enterprise tier
- Self-hosted deployments place encryption/security responsibility on customer (PostgreSQL), shifting compliance burden
- No explicit DPA or data processing agreement documented; privacy policy notes it does not apply to business customers
// At a glance
Pricing model
Freemium: Community (free, open-source) + Cloud (commercial SaaS) + Enterprise (commercial self-hosted license)
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Hoppscotch Limited's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
docs.hoppscotch.io