Skip to main content

Enterprise-Grade Security

Built on SOC 2–certified infrastructure. Designed with controls mapped to SOC 2, GDPR, and NYC LL144 requirements. Your data is protected with encryption in transit and at rest.

SOC 2 Readiness In Progress
GDPR-Aligned Design
NYC LL144 Aligned

Security & Compliance FAQs

Answers to common security questions from enterprise customers

Data Encryption

How do you encrypt data in transit?

All API traffic uses TLS 1.3 encryption with perfect forward secrecy. We enforce HTTPS-only connections and support modern cipher suites. Certificate pinning is available for enterprise integrations.

Data Storage

How do you store candidate PII?

All candidate personally identifiable information (PII) is encrypted at rest using AES-256 encryption. Data is isolated per organization with separate encryption keys. We use industry-standard key management with automatic rotation.

Access Control

How are API keys managed?

API keys are organization-level credentials with role-based access control (RBAC). Keys are rotatable on-demand, support expiration policies, and all usage is audit logged with IP tracking and anomaly detection.

Compliance

What certifications do you hold?

HAIEC has not yet completed a SOC 2 Type II audit. We are working toward this milestone. Our infrastructure providers (Vercel, Neon) are SOC 2 Type II certified. We maintain data processing records aligned with GDPR Article 30, and our workflows are designed to support NYC Local Law 144 and CCPA deletion requirements.

Incident Response

What's your breach notification process?

We notify affected customers within 2 hours of confirmed security incidents. Full incident reports with root cause analysis are provided within 24 hours. We maintain a dedicated security response team and conduct quarterly incident response drills.

Data Retention

How long do you keep candidate data?

90-day default retention with customer-configurable policies (30-365 days). Immediate deletion API available for GDPR/CCPA requests. Automated purging with cryptographic proof of deletion. Audit logs retained for 7 years per compliance requirements.

Comprehensive Security Controls

Infrastructure Security

  • SOC 2 infrastructure (AWS/Modal)
  • Multi-region redundancy with automatic failover
  • DDoS protection and rate limiting
  • Network isolation and VPC segmentation
  • Regular penetration testing and vulnerability scans

Application Security

  • Secure development lifecycle (SDLC) practices
  • Automated security scanning in CI/CD pipeline
  • Input validation and sanitization
  • OWASP Top 10 protection
  • Regular dependency updates and CVE monitoring

Data Protection

  • End-to-end encryption for sensitive data
  • Zero-knowledge architecture for PII
  • Data minimization and pseudonymization
  • Secure backup with encryption at rest
  • Geographic data residency options

Access & Authentication

  • Multi-factor authentication (MFA) required
  • Single Sign-On (SSO) via SAML 2.0
  • IP allowlisting and geofencing
  • Session management with automatic timeout
  • Privileged access management (PAM)

Need More Security Information?

Our security team is available to answer detailed questions about our infrastructure, compliance posture, and security practices.

Contact Security Teamsecurity@haiec.com