SOC 2
Defense-in-depth controls, audit-logged privileged actions, immutable migrations, and a tested rollback path.
Hiring decisions need to survive scrutiny. From candidates. From auditors. From the EEOC. Our architecture is designed so they can.
Last reviewed May 19, 2026
What we don't store
The cleanest privacy posture is the data you never collect.
Interview audio streams during the session and is never persisted.
Video is never collected. Integrity signals run in the browser; only resulting flags are stored.
We do not collect, derive, or store biometric identifiers of any kind.
Frameworks we design against
We don't claim certifications we don't hold. Below is what we've built against, and what remains in flight.
Defense-in-depth controls, audit-logged privileged actions, immutable migrations, and a tested rollback path.
Self-service account deletion with a 30-day grace period. Data access requests handled by our team. Every consent grant and withdrawal is logged.
Daily 4/5ths-rule analysis on every active posting, with intersectional sample-size minimums.
Demographic data is isolated from scoring. The data model is built to support the annual independent bias audit.
Card data never touches our servers. Billing runs through a PCI-compliant hosted checkout and customer portal.
Structured interviews, validated competency rubrics, criterion-validity research design. The science is the product.
How we protect data
AES-256 at rest in our managed Postgres database and object storage. TLS 1.2+ in transit, with HSTS preloaded for two years.
Row-level security is the final, mandatory gate. Cross-tenant reads are physically denied at the database layer, not just the application.
Names, exact graduation years, addresses below ZIP-3, and demographic proxies are stripped before any AI consumer reads the profile.
Candidate email is encrypted with libsodium XSalsa20-Poly1305 under a key held in a managed secrets vault. Even with full database access, attackers see ciphertext, not addresses.
TOTP multi-factor authentication is available on every account and can be required for an entire workspace.
Per-IP rate limits on authentication and intake endpoints. Configurable lockout thresholds. Every denial is logged.
Auditability
We write to a tamper-evident audit log on every login, permission change, admin read, cron execution, and consent grant. Each row is HMAC-SHA256 signed with a rotating key. Any later mutation breaks verification.
Audit logs are partitioned by month and retained for 7 years, the EEOC record-keeping floor for employment decisions. IP addresses are anonymized after 90 days, per GDPR storage minimization.
In progress
Radical honesty about gaps is itself a security signal.
Controls are mapped today. External auditor engagement planned for late 2026.
First annual engagement scheduled for Q4 2026.
Six in progress with our AI, voice, and observability vendors. The full registry is published and updated quarterly.
Data model is in place. External audit will be engaged ahead of any in-scope hiring activity in NYC.
Working through a security review?
We'll come back with answers, evidence, and links to the relevant tests in the same week.
Talk to us