Trust Center
Security, Privacy & Reliability
This page intentionally shows only evidence-backed controls and live-backed status signals.
Continuity claims are published only when current drill evidence supports them; dry-run failover reviews are not presented as executed validation.
Last checked: 6/3/2026, 11:21:57 AM
System Status
Operational (Measured Components)API
Evidence API: /api/v1/monitoring/health
Operational
Database
Evidence API: /api/v1/monitoring/health
Operational
Verified Controls
Claims are shown only when backed by implementation or auditable evidence.
Security
- • Authentication: Supabase Auth + MFA
- • Authorization: RBAC (Role-Based)
- • API Security: Rate-limited + CSRF protection
- • Session Management: Secure, HttpOnly Cookies
- • Data Encryption At Rest: AES-256
- • Database row-level security (RLS) enforces tenant isolation
- • Public API endpoints are rate-limited
- • Route access reconciliation: all handlers accounted for
- • BYOK envelope encryption for enterprise tenants
Privacy
- • DSAR requests processed within 30 days
- • Data retention default 2 years with automated deletion workflows
- • Data residency enforcement per jurisdiction requirements
- • GDPR Article 9 special-category data blocked at ingestion
- • EEO self-identification data isolated from scoring and profile data
AI
- • OpenAI GPT-4 used for resume analysis and matching
Reliability
- • 99.9% Uptime Target
- • Multi-layer monitoring with SLO-based alerting
- • Incident response process with severity-based escalation
- • No incidents in the last 30 days
- • ATS integrations (Greenhouse, Lever, Workday) with 2-way sync and Zod validation
- • Calendar integrations (Google, Outlook) with OAuth and event CRUD
- • Slack + Teams notifications via incoming webhooks
Recent Incidents
Last 30 days of incident reports.
0 incidents in the last 30 days
Source: incident records (dynamic query), not hardcoded text.
Evidence-backed Certification Statements
SOC 2 Type II: In Progress
ISO 27001: Roadmap
Resources
- Subprocessor list— third-party data processors
- AI transparency statement— how AI is used in your assessment
- Bias audit summary— NYC AEDT §5-303(c) disclosure
- Model cards— EU AI Act Annex IV technical docs
- Security whitepaper— SOC 2 / ISO 27001 controls overview
- Vendor questionnaires— CAIQ v4 + SIG Lite pre-fills
- Security FAQ— 60+ enterprise security questions answered
- Permission matrix— RBAC capabilities by role
- Reference architecture— components, data flows, trust boundaries
- MSA / DPA / SLA— contract templates for legal review
- System status— live component health
- Privacy policy— data handling commitments