Security & Compliance

Built for defensibility.

Hiring decisions need to survive scrutiny. From candidates. From auditors. From the EEOC. Our architecture is designed so they can.

Last reviewed May 19, 2026

What we don't store

No audio. No video. No biometric data.

The cleanest privacy posture is the data you never collect.

No audio storage

Interview audio streams during the session and is never persisted.

No video storage

Video is never collected. Integrity signals run in the browser; only resulting flags are stored.

No biometric data

We do not collect, derive, or store biometric identifiers of any kind.

Frameworks we design against

Aligned with the standards that matter for hiring.

We don't claim certifications we don't hold. Below is what we've built against, and what remains in flight.

SOC 2

Controls mapped · Type I in preparation

Defense-in-depth controls, audit-logged privileged actions, immutable migrations, and a tested rollback path.

GDPR

Data subject rights supported

Self-service account deletion with a 30-day grace period. Data access requests handled by our team. Every consent grant and withdrawal is logged.

EEOC / UGESP

Adverse-impact testing built in

Daily 4/5ths-rule analysis on every active posting, with intersectional sample-size minimums.

NYC Local Law 144

Bias-audit ready

Demographic data is isolated from scoring. The data model is built to support the annual independent bias audit.

PCI-DSS SAQ A

Scope minimized via hosted checkout

Card data never touches our servers. Billing runs through a PCI-compliant hosted checkout and customer portal.

SIOP / APA

Methodology-aligned

Structured interviews, validated competency rubrics, criterion-validity research design. The science is the product.

How we protect data

Defense in depth, end to end.

Encrypted at rest and in transit

AES-256 at rest in our managed Postgres database and object storage. TLS 1.2+ in transit, with HSTS preloaded for two years.

Row-level security on PII tables

Row-level security is the final, mandatory gate. Cross-tenant reads are physically denied at the database layer, not just the application.

Résumé redaction before any AI sees it

Names, exact graduation years, addresses below ZIP-3, and demographic proxies are stripped before any AI consumer reads the profile.

Application-level cell encryption

Candidate email is encrypted with libsodium XSalsa20-Poly1305 under a key held in a managed secrets vault. Even with full database access, attackers see ciphertext, not addresses.

MFA available, enforceable per employer

TOTP multi-factor authentication is available on every account and can be required for an entire workspace.

Rate-limiting and account lockout

Per-IP rate limits on authentication and intake endpoints. Configurable lockout thresholds. Every denial is logged.

Auditability

Every privileged action is signed and stored.

We write to a tamper-evident audit log on every login, permission change, admin read, cron execution, and consent grant. Each row is HMAC-SHA256 signed with a rotating key. Any later mutation breaks verification.

Audit logs are partitioned by month and retained for 7 years, the EEOC record-keeping floor for employment decisions. IP addresses are anonymized after 90 days, per GDPR storage minimization.

HMAC-SHA256 Signed audit rows, rotation supported
7 years Audit log retention floor
90 days Until IP addresses are anonymized

In progress

What we're still building.

Radical honesty about gaps is itself a security signal.

SOC 2 Type I attestation

Controls are mapped today. External auditor engagement planned for late 2026.

External penetration test

First annual engagement scheduled for Q4 2026.

Outstanding subprocessor DPAs

Six in progress with our AI, voice, and observability vendors. The full registry is published and updated quarterly.

Annual NYC Local Law 144 bias audit

Data model is in place. External audit will be engaged ahead of any in-scope hiring activity in NYC.

Working through a security review?

Send us the questionnaire.

We'll come back with answers, evidence, and links to the relevant tests in the same week.

Talk to us