Our customer-focused culture ensures that security is a top priority. We are open and transparent with our security program so you can feel safe using our cloud and server products. Hindsight operates an Information Security Management System (ISMS) based on ISO27001 and uses ISO27002 and CSA Cloud Controls Matrix v3.0 as a source of controls. Hindsight isn't certified under ISO27001 but is certified under the Cyber Essentials scheme. View the certificate

Cloud security statement

Our Cloud security statement details many of the questions that we receive from customers about how we run and secure our cloud services. Read the statement

Report a vulnerability

We love hearing about ways we can improve the security of our products. Our commitment to delivering secure software for our customers is aided by the security community.

If you have found a security vulnerability, please disclose it to us by emailing the details to security@hindsightsoftware.com. If the vulnerability is new to us, we will reward you with some free Behave Pro swag. Hindsight makes all vulnerability bug reports a priority and will respond within 24 hours or less.

Security bug fix policy

In the event of a vulnerability, we will assess the severity and if necessary notify any customers that may be affected within 24 hours.

Hindsight aims to meet the following guidelines for deploying security issue fixes and they are categorised into the 4 severity levels, which usually have some of the following characteristics:


  • CVSS v2 score >= 8, CVSS v3 score >= 9

  • Exploitation results in compromise of servers or infrastructure

  • Data required to exploit the vulnerability is widely available

  • Exploitation doesn't require any special credentials or knowledge

Hindsight aims to resolve this vulnerability level within 24 hours or as soon as possible.


  • CVSS v2 score >= 6, CVSS v3 score >= 7

  • Difficult to exploit

  • Exploitation does not result in special privileges or data loss

Hindsight aims to resolve this vulnerability level within 1 week.


  • CVSS v2 score >= 3, CVSS v3 score >= 4

  • Denial of service vulnerabilities that are difficult to set up

  • Require an attacker to reside on the same local network as the victim

  • Require an attacker to manipulate the victim via social engineering

  • Vulnerabilities where the outcome provides very limited access

Hindsight aims to resolve this vulnerability level within 2 weeks.


  • Little to no impact to the organisations business

  • Vulnerabilities that require physical access to the system

Hindsight aims to resolve this vulnerability level within 1 month.