Security & Compliance

Built for regulated industries from day one. Your candidate data is your most valuable asset -- we protect it accordingly.

GDPR Compliant

Full data subject rights: right to deletion, right to export, processing lawful basis. Candidate deletion propagates across all storage layers including vector embeddings.

Per-Agency Data Isolation

Every agency's data is scoped by agencyId at every query layer. There is no shared candidate pool -- your candidates are yours only.

Encryption at Rest

Sensitive credentials (API keys, Resend tokens) are AES-256-GCM encrypted before storage in D1. Encryption keys are environment-specific and never stored in code.

SOC 2 Preparation

Infrastructure follows SOC 2 control principles: audit logging, access controls, incident response procedures, and vendor risk assessments.

Data Minimisation

We only collect and store what is needed for the recruiting workflow. No tracking pixels, no cross-agency analytics, no data resale.

Cloudflare Infrastructure

Hosted on Cloudflare's global edge network. Data residency configurable by region. DDoS protection, TLS 1.3, and WAF included by default.

Questions about security?

We're happy to share our security documentation, complete a vendor assessment form, or arrange a technical walkthrough for your compliance team.