Candidately Trust Center

All system and application permissions are assigned through defined roles rather than ad-hoc grants, with tenant-scoped database queries preventing cross-tenant data access.

Every user, system, and service is granted only the minimum access required for its function, with no broad catch-all permissions on sensitive resources.

MFA is mandatory for all personnel on all company systems including AWS, Google Workspace, GitHub, and production infrastructure, with hardware security keys required for privileged accounts.

Elevated access to production systems, databases, and security configurations is controlled through just-in-time provisioning, dual-control for the most sensitive credentials, and quarterly access reviews.

No single individual can both initiate and approve sensitive actions such as production deployments, financial transactions, or security configuration changes.

Access is provisioned based on documented role requirements at onboarding, updated within 5 business days of role changes, and revoked within 24 hours of departure.

All user access rights across production systems and SaaS tools are formally reviewed every quarter, with unjustified access revoked immediately.

Minimum 12-character passwords are required across all systems, with a company-approved password manager for generating and storing unique, high-entropy credentials.

All production data is encrypted at rest using AES-256 via AWS KMS, covering RDS databases, S3 object storage, EBS volumes, and automated backups.

All external communications use HTTPS with TLS 1.2 minimum, and all internal service-to-service and database connections require TLS encryption.

An additional AES-256-GCM encryption layer is applied at the application level for API tokens, authentication credentials, and restricted-classification data before storage.

A four-tier classification system (Public, Internal, Confidential, Restricted) ensures handling, storage, and access controls are proportionate to data sensitivity.

Defined minimum and maximum retention periods for each data category, with automated and manual deletion procedures ensuring data is not kept longer than necessary.

All application secrets, API keys, and credentials are stored in AWS Systems Manager Parameter Store as encrypted SecureString parameters, resolved at runtime and never embedded in code.

Strict logical separation between client tenants is enforced via RBAC and tenant-scoped database queries, preventing any cross-tenant data access at the application or database layer.

Security is integrated into every SDLC phase through automated checks, peer review, and engineering standards aligned with OWASP best practices and ISC2 CSSLP domains.

Every code change requires a pull request with approvals from at least two engineers other than the author, with security-sensitive changes requiring additional CTO review.

Every pull request triggers automated security scanning including Sobelow (backend SAST), eslint-plugin-security (frontend SAST), and dependency vulnerability audits, blocking merges on critical findings.

Third-party library vulnerabilities in Elixir/Hex and Node/npm packages are continuously scanned via mix audit and npm audit, with severity-based remediation SLAs.

Independent third-party penetration tests covering OWASP Top 10, API security, authentication, and multi-tenancy boundary testing are conducted periodically, with findings tracked to verified closure.

A public vulnerability disclosure policy invites external security researchers to report findings, with defined scope, safe harbor protections, and public acknowledgement for valid reports.

Cloudflare WAF is configured to block common attack patterns including OWASP Top 10 categories before traffic reaches the application layer, with rate limiting to prevent brute-force attacks.

Production databases and internal services reside in private subnets with no direct internet access, and production, staging, and development environments are strictly segregated.

Cloudflare provides edge-level DDoS protection and absorbs volumetric attacks before they reach AWS infrastructure, with analytics reviewed to identify emerging patterns.

AWS Security Groups act as the primary firewall, configured to allow only the minimum required traffic with the load balancer accepting HTTPS only from Cloudflare IP ranges.

Production applications are deployed across multiple AWS Availability Zones with auto-scaling and an Elastic Load Balancer, ensuring no single point of failure.

Amazon RDS PostgreSQL is deployed in Multi-AZ mode with synchronous replication and automatic failover within 60-120 seconds, ensuring zero data loss on primary failure.

EC2 instances are patched by deploying from updated AMIs rather than patching in-place, ensuring a clean, reproducible environment with each release.

A documented, tested incident response plan defines severity classification (P1-P4), escalation paths, containment procedures, and post-incident review processes.

Pre-built runbooks cover data breach, ransomware, compromised credentials, DDoS attack, and AI model misuse scenarios to enable rapid, consistent response.

A dedicated data breach notification policy ensures supervisory authority notification within 72 hours and client notification within 24 hours of a confirmed breach.

Every security incident triggers a post-incident review to identify root causes, update the risk register, and improve controls to prevent recurrence.

All incident response team members and relevant staff participate in annual training exercises to maintain readiness and validate response procedures.

Logs from AWS CloudTrail, VPC Flow Logs, CloudWatch, Cloudflare, application audit trails, and SaaS tools are collected with standardized UTC timestamps and structured formats.

CloudTrail logs are stored in S3 with Object Lock in Compliance mode and integrity validation, preventing modification or deletion by any user including root.

Application logging frameworks enforce that passwords, tokens, encryption keys, and unnecessary PII are never written to logs, with CI scanning to detect violations.

AWS CloudWatch alarms, CloudTrail API monitoring, and Cloudflare WAF alerts provide automated detection of security events with defined escalation procedures.

Logs are retained for defined periods (up to 24 months for CloudTrail) with strict access controls preventing log subjects from modifying their own audit trails.

A documented plan defines critical business functions, disruption scenarios, recovery strategies, and team responsibilities, reviewed annually and after significant incidents.

Recovery Point Objectives (15-minute RPO for production database) and Recovery Time Objectives are defined for each critical system with AWS strategies to achieve them.

RDS automated backups run daily with 7-day retention, and point-in-time recovery enables restoration to any second within the backup window.

Critical S3 data buckets are configured with cross-region replication to a secondary AWS region, protecting against full regional outages.

Data restoration from backups is tested quarterly to confirm recoverability, with results documented and any issues remediated within 30 days.

Rolling updates across multiple EC2 instances behind a load balancer ensure production deployments occur without service interruption.

A comprehensive data protection program addresses all GDPR requirements including lawful processing bases, data subject rights, DPIAs, and an appointed external DPO (HeyData).

Every subprocessor that handles personal data has a signed DPA with obligations equivalent to those in client agreements, as required by GDPR Article 28.

EU-US data transfers are protected by Standard Contractual Clauses (2021 SCCs), Transfer Impact Assessments, and the EU-US Data Privacy Framework where applicable.

Processes support all GDPR Chapter III rights including access, rectification, erasure, portability, and restriction of processing, with client agencies supported in fulfilling requests.

Security policies and controls are designed to satisfy SOC 2 Trust Services Criteria across security, availability, and confidentiality, with auditable evidence maintained.

A current, authoritative subprocessor list is publicly available, with 14 days prior written notice to clients before adding or materially changing any subprocessor.

Vendors are classified into tiers based on data access and criticality, with proportionate security assessments ranging from SOC 2 review to full vendor security questionnaires.

Vendors without SOC 2 Type II certification complete a detailed security assessment covering data handling, encryption, access controls, incident response, and business continuity.

All vendor contracts require notification of security incidents affecting company data within 24 hours of the vendor becoming aware of the incident.

A defined process ensures all vendor access is revoked and data is deleted or returned when relationships end, with written confirmation of data destruction.

All candidates undergo identity verification, employment history checks, and reference checks before system access, with enhanced screening for roles accessing production or financial systems.

Every employee and contractor must acknowledge IT security, acceptable use, and access control policies before receiving access to any company system.

Mandatory annual training covers phishing, social engineering, data classification, AI tool safety, and incident reporting, with an 80% pass mark assessment and tracked completion.

Periodic simulated phishing campaigns test employee resilience, with targeted re-training for staff who engage with simulated attacks.

Clear standards govern responsible use of company systems, equipment, and data, establishing baseline expectations for all personnel with access to company resources.

All system access, credentials, and physical access are revoked within 24 hours of departure, with device recovery and data wipe procedures enforced.

All company-issued devices must be enrolled in MDM before accessing company systems, enabling remote policy enforcement, compliance verification, and remote wipe capability.

FileVault (macOS), BitLocker (Windows), or LUKS (Linux) is mandatory on all devices accessing company systems, with recovery keys escrowed to the MDM solution.

Up-to-date antivirus or EDR software with real-time protection and weekly scanning is required on all company and BYOD devices, with detections treated as security incidents.

All workstations must lock automatically after no more than 5 minutes of inactivity, enforced through MDM policy on company-issued devices.

Personal devices used for company work must meet the same security baseline as company-issued devices, including encryption, antivirus, and MDM registration.

All AI features are decision-support tools where final decisions about candidates are made by human recruiters, satisfying GDPR Article 22 requirements against solely automated decision-making.

Only the personal data strictly necessary for each AI function is transmitted to model providers, with data not submitted in bulk or beyond feature requirements.

All AI model provider agreements include contractual prohibitions against using customer data for model training, fine-tuning, or improving the provider's general models.

AI model outputs are monitored for discriminatory bias against protected characteristics, with affected features suspended pending investigation when bias is detected.

Client agencies are informed about AI feature usage through the Privacy Policy and DPA, AI model providers are listed in the subprocessor list, and AI suggestions are clearly labeled in the UI.

AI features are assessed against EU AI Act obligations as they apply to employment-related AI systems, with governance controls addressing the phased requirements through 2026-2027.

A documented risk scoring methodology using likelihood-times-impact matrices ensures consistent, comparable risk assessments with defined risk appetite statements.

All identified risks are tracked in a centralized register with clear ownership, treatment plans, residual risk ratings, and scheduled review dates.

A structured risk identification workshop is conducted annually with senior leadership, supplemented by continuous risk identification from incidents, penetration tests, and regulatory changes.

Severity-based remediation timelines ensure critical vulnerabilities are addressed immediately and high-severity findings within defined windows, with mandatory SLA compliance tracking.

All production changes follow a defined classification framework with appropriate approval, testing, and deployment controls based on risk, satisfying SOC 2 CC8 requirements.

CircleCI pipelines automatically run unit tests, E2E tests, security scans, and dependency audits on every pull request, blocking deployment when gates fail.

A defined process for urgent changes allows bypassing the standard release cycle while maintaining essential security controls including review and audit trail.

All software, infrastructure, and dependency vulnerabilities are remediated within defined timeframes based on CVSS severity, with critical patches applied immediately.

All sending domains are protected with SPF, DKIM, and DMARC configured to reject unauthenticated messages, preventing domain spoofing and phishing impersonation.

Google Workspace phishing detection, Safe Browsing enforcement, and enhanced pre-delivery scanning provide layered technical defenses against email-based attacks.

Automatic forwarding to external addresses is restricted by admin policy and requires security officer approval, with all active rules reviewed quarterly.