Enterprise-Grade Security

Built on SOC 2 infrastructure with compliance-first architecture. Your candidate data is protected with bank-level encryption and industry-leading security practices.

SOC 2 Type II (Q2 2025)
GDPR Compliant
NYC LL144 Aligned

Security & Compliance FAQs

Answers to common security questions from enterprise customers

Data Encryption

How do you encrypt data in transit?

All API traffic uses TLS 1.3 encryption with perfect forward secrecy. We enforce HTTPS-only connections and support modern cipher suites. Certificate pinning is available for enterprise integrations.

Data Storage

How do you store candidate PII?

All candidate personally identifiable information (PII) is encrypted at rest using AES-256 encryption. Data is isolated per organization with separate encryption keys. We use industry-standard key management with automatic rotation.

Access Control

How are API keys managed?

API keys are organization-level credentials with role-based access control (RBAC). Keys are rotatable on-demand, support expiration policies, and all usage is audit logged with IP tracking and anomaly detection.

Compliance

What certifications do you hold?

SOC 2 Type II certification in progress (expected Q2 2025). We are GDPR Article 30 compliant with full data processing records. NYC Local Law 144 compliant by design. CCPA-ready data deletion workflows.

Incident Response

What's your breach notification process?

We notify affected customers within 2 hours of confirmed security incidents. Full incident reports with root cause analysis are provided within 24 hours. We maintain a dedicated security response team and conduct quarterly incident response drills.

Data Retention

How long do you keep candidate data?

90-day default retention with customer-configurable policies (30-365 days). Immediate deletion API available for GDPR/CCPA requests. Automated purging with cryptographic proof of deletion. Audit logs retained for 7 years per compliance requirements.

Comprehensive Security Controls

Infrastructure Security

  • SOC 2 Type II compliant infrastructure (AWS/Modal)
  • Multi-region redundancy with automatic failover
  • DDoS protection and rate limiting
  • Network isolation and VPC segmentation
  • Regular penetration testing and vulnerability scans

Application Security

  • Secure development lifecycle (SDLC) practices
  • Automated security scanning in CI/CD pipeline
  • Input validation and sanitization
  • OWASP Top 10 protection
  • Regular dependency updates and CVE monitoring

Data Protection

  • End-to-end encryption for sensitive data
  • Zero-knowledge architecture for PII
  • Data minimization and pseudonymization
  • Secure backup with encryption at rest
  • Geographic data residency options

Access & Authentication

  • Multi-factor authentication (MFA) required
  • Single Sign-On (SSO) via SAML 2.0
  • IP allowlisting and geofencing
  • Session management with automatic timeout
  • Privileged access management (PAM)

Need More Security Information?

Our security team is available to answer detailed questions about our infrastructure, compliance posture, and security practices.

Contact Security Teamsecurity@haiec.com