// Trust & Security Report

    Hoppscotch Limited logo

    Hoppscotch Limited

    Open-source API development ecosystem (Community, Cloud, Enterprise editions). Provides REST client, collections, environments, scripting, and team collaboration for API development; available as web app, desktop, and CLI.

    Certifications held

    0

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 9 unconfirmed / not-held certifications
    SOC 2 Type 1
    NOT CONFIRMED

    No mention in security policy or public documentation

    source: docs.hoppscotch.io
    SOC 2 Type 2
    NOT CONFIRMED

    No mention in security policy or public documentation

    source: docs.hoppscotch.io
    ISO 27001
    NOT CONFIRMED

    No mention in security policy or public documentation

    source: docs.hoppscotch.io
    ISO 27017 (Cloud Security)
    NOT CONFIRMED

    No mention in security policy or public documentation

    source: docs.hoppscotch.io
    ISO 27018 (PII Protection)
    NOT CONFIRMED

    No mention in security policy or public documentation

    source: docs.hoppscotch.io
    GDPR Compliance
    NOT CONFIRMED

    No explicit GDPR compliance statement. Privacy policy does not address GDPR mechanisms, data processing agreements, or specific data region commitments

    source: docs.hoppscotch.io
    HIPAA
    NOT CONFIRMED

    No mention in privacy policy, terms of service, or security documentation

    source: docs.hoppscotch.io
    PCI DSS
    NOT CONFIRMED

    No mention in security policy or public documentation

    source: docs.hoppscotch.io
    FedRAMP
    NOT CONFIRMED

    No mention in security policy or public documentation

    source: docs.hoppscotch.io

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Not offered

    Data region

    Unspecified

    Privacy policy states: 'We partner with OpenAI, the creators of GPT-4o mini, to offer you enhanced API development and testing capabilities' and 'In doing so, we may share the user-generated information you include in your prompts and APIs to generate content and provide enhanced AI capabilities.' OpenAI may then use that data per its own privacy policy. No opt-out mechanism documented.

    // Security controls

    Encryption in Transit

    AES-256-GCM with X25519 key exchange for Agent communication; standard HTTPS for web platform

    docs.hoppscotch.io

    Encryption at Rest

    Self-hosted deployments rely on customer database encryption. Cloud offering does not publicly specify.

    docs.hoppscotch.io

    Authentication (Enterprise)

    SAML-based SSO, OIDC support

    docs.hoppscotch.io

    Audit Logging (Enterprise)

    Audit logs for monitoring activities

    docs.hoppscotch.io

    Script Sandboxing

    Pre- and post-request scripts run in QuickJS WebAssembly sandbox, isolated from browser context

    docs.hoppscotch.io

    Data Integrity

    Ed25519 signatures and per-file BLAKE3 integrity hashes for verifying remote bundles

    docs.hoppscotch.io

    Rate Limiting & DDoS Protection

    Request rate limiting and query complexity limits on GraphQL API for self-hosted deployments

    docs.hoppscotch.io

    Data Residency Control

    Full control via self-hosted Community/Enterprise Edition; Cloud Edition location unspecified

    docs.hoppscotch.io

    // Products & data scope

    Hoppscotch CloudSaaS - API Development Platform

    data: Hosted by vendor; data processing location unspecified

    Commercial cloud offering with unlimited collections and all features. Data shared with OpenAI for AI-enhanced capabilities. No explicit regional guarantees.

    Hoppscotch Enterprise EditionSelf-Hosted - API Development Platform

    data: Customer-controlled infrastructure

    Commercial self-hosted offering with SAML/OIDC SSO, audit logs, and on-premise deployment. Customer responsible for database encryption and backup security. Requires commercial license.

    Hoppscotch Community EditionOpen-Source - API Development Platform

    data: Customer-controlled if self-hosted; MIT licensed

    Free, open-source edition (MIT License). Can be used for personal and commercial projects. Can be self-hosted for full data control.

    // What to watch

    • No formal security certifications (SOC 2, ISO 27001) despite commercial Cloud and Enterprise offerings
    • Cloud product explicitly shares user-generated data and API content with OpenAI (per privacy policy); no opt-out documented
    • No GDPR-specific language, commitment, or DPA despite being SAAS cloud product handling potentially sensitive API data
    • No HIPAA compliance or BAA despite API platform potentially handling healthcare/regulated data
    • Privacy policy states data may be transferred 'to locations where privacy laws may not be as protective' without specifying regions
    • Enterprise Edition offers SAML/OIDC/audit logs but security policy makes no mention of compliance certifications for enterprise tier
    • Self-hosted deployments place encryption/security responsibility on customer (PostgreSQL), shifting compliance burden
    • No explicit DPA or data processing agreement documented; privacy policy notes it does not apply to business customers

    // At a glance

    Pricing model

    Freemium: Community (free, open-source) + Cloud (commercial SaaS) + Enterprise (commercial self-hosted license)

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Hoppscotch Limited's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    docs.hoppscotch.io

    > Browse all vendor trust reports