Shared Responsibility Model

Last updated: January 2026

Security in the Hoppa platform is a shared responsibility between Hoppa and our customers. This document outlines who is responsible for what, helping you understand how we work together to keep your data secure.

Overview

Hoppa provides an AI-powered document analysis and classification platform for the construction and infrastructure sectors. We offer two service models:

• Software as a Service (SaaS) — Customers use the Hoppa platform directly to analyse and classify their documents.
• Managed Service — Hoppa personnel carry out document cataloguing on behalf of the customer, using the same secure platform.

Under both models, the division of responsibilities remains the same. Hoppa is responsible for securing the platform and infrastructure, while customers are responsible for providing secure access to their documents and managing the outputs.

This shared responsibility model applies to the Hoppa platform and its integrations with third-party systems. It does not cover the third-party systems themselves, which are subject to their own security policies and shared responsibility models.

Hoppa's Responsibilities

Infrastructure and Platform Security

Hoppa is responsible for the security of the cloud infrastructure that powers the platform. This includes:

• Physical security of data centres (managed by Microsoft Azure)
• Network security, firewalls, and intrusion detection
• Server and compute infrastructure security
• Operating system and platform maintenance and patching
• Application security and secure development practices

Data Protection

Hoppa implements robust data protection measures:

• Encryption at rest using AES-256
• Encryption in transit using TLS 1.2 or higher
• Logical separation of customer data through API controls
• Physical separation of customer data using dedicated Azure Storage containers
• Data retention management, with customer data retained for 30 days following contract termination as standard

Authentication and Access Control

Hoppa provides secure authentication through:

• Auth0-based authentication with multi-factor authentication
• Microsoft SSO integration for customers who prefer it
• Administration of user accounts and permissions on behalf of customers

Backup and Disaster Recovery

Hoppa is responsible for:

• Regular backups of platform data
• Disaster recovery planning and implementation
• Business continuity measures to maintain service availability

Compliance and Certifications

Hoppa maintains the following certifications and commitments:

• Cyber Essentials certified
• Cyber Essentials Plus certified
• Aligned to ISO 27001 principles in preparation for accreditation

Incident Response

In the event of a security incident affecting customer data, Hoppa will:

• Investigate and contain the incident promptly
• Notify affected customers via email within 48 hours
• Provide relevant details and guidance on any actions customers should take

Third-Party Processing

When customer documents are processed through integrated services:

• Azure OpenAI Service is used for AI-powered analysis, with all processing occurring within Azure's infrastructure. Customer data is not used for model training.
• Autodesk Platform Services is used for document conversion and content extraction. Documents are processed in the UK and stored by Autodesk for 24 hours before deletion.

Data Residency

All Hoppa Azure resources are hosted within the UK and EU regions.

Audit and Logging

Hoppa provides:

• Document analysis logs accessible through the Hoppa Web App
• Audit logs available to customers on request

Customer Responsibilities

User Access Management

Customers are responsible for:

• Determining which users should have access to their Hoppa account
• Requesting user account creation, modification, or removal through Hoppa
• Ensuring users follow appropriate security practices, including protecting their credentials
• Promptly reporting any suspected unauthorised access or compromised credentials

Data Ownership and Rights

Customers are responsible for:

• Ensuring they have the legal right to upload and process documents through Hoppa
• Complying with applicable data protection regulations for the data they process
• Determining the appropriate classification and handling of their own data
• Managing any intellectual property or confidentiality obligations related to their documents

Configuration and Use

Customers are responsible for:

• Configuring classification taxonomies and settings appropriate to their needs (such as Uniclass or custom schemes)
• Reviewing and validating AI-generated classifications and metadata
• Using the platform in accordance with Hoppa's acceptable use policies

Data Export and Retention

Customers are responsible for:

• Exporting any data they wish to retain beyond the standard retention period
• Maintaining their own backups of critical outputs if required for their business continuity
• Communicating any extended retention requirements before contract termination

Document Access

Whether using the SaaS platform directly or the managed service:

• Customers are responsible for providing secure access to their documents
• When connecting Hoppa to document management systems, customers must configure appropriate permissions in their source systems
• The delegated user permission model means Hoppa (or Hoppa personnel in the managed service) accesses documents with the permissions of the authenticated user
• Customers should ensure their document management system access controls are appropriately configured

Compliance

Customers are responsible for:

• Understanding their own regulatory and compliance obligations
• Ensuring their use of Hoppa meets those obligations
• Requesting audit logs or other documentation needed for their compliance activities

Summary

Questions

If you have questions about this shared responsibility model or your security obligations, please contact us at admin@hoppa.ai or speak with your account manager.