✶ Trust & Security
Security is infrastructure, not a feature.
HiringScout handles sensitive candidate data and operates inside hiring workflows at some of the world's leading companies. We treat security with the same discipline as any production-critical system: designed in, tested continuously, and improved relentlessly.
✶ Core commitments
Six pillars of platform security.
Encryption everywhere
All data encrypted in transit with TLS 1.3 and at rest with AES-256. Encryption keys are managed in dedicated KMS infrastructure — never hardcoded, never in application code.
Least-privilege access
Production access is restricted to a minimal set of personnel. Every access event is logged with a complete audit trail. Multi-factor authentication is mandatory for all team members.
Regular penetration testing
We engage independent security firms to conduct penetration tests at least annually. Findings are remediated within documented SLAs based on severity.
Compliance by design
GDPR and CCPA compliance is built into the architecture — consent management, retention windows, data subject request handling — not retrofitted. SOC 2 Type II audit in progress.
72-hour breach notification
In the event of a data breach, we notify affected users and relevant regulatory authorities within 72 hours of discovery. We maintain a documented, tested incident response plan.
Infrastructure security
Hosted on AWS with VPC isolation, private subnets, Web Application Firewall (WAF), DDoS protection, and automated vulnerability scanning on every deployment.
✶ Technical controls
What we actually implement.
Application security
- OWASP Top 10 mitigations applied to all endpoints
- Input validation and output encoding on all user-supplied data
- Parameterized queries — no raw SQL construction from user input
- CSRF protection on all state-changing operations
- Rate limiting and abuse detection on authentication endpoints
- Content Security Policy (CSP) headers on all pages
- Dependency vulnerability scanning on every pull request
Data handling
- Candidate PII is isolated from analytics and ML training pipelines
- Resume files stored in private, access-controlled object storage
- AI audio recordings encrypted with customer-specific keys
- Automated data retention enforcement — expired data is deleted, not archived
- Data minimization: we collect only what is required for the service
- Database backups encrypted and stored in a separate region
Access and identity
- Passwords hashed with bcrypt (cost factor 12)
- JWTs signed with RS256 — short expiry with secure refresh rotation
- OAuth 2.0 integration with identity providers
- Role-based access control within company accounts
- Session invalidation on password change and logout
- IP-based anomaly detection for account access
Operational security
- All production deployments go through automated security scanning
- Infrastructure defined as code — no manual production changes
- Secrets management via AWS Secrets Manager
- Cloud configuration continuously monitored for drift
- Immutable container images — no runtime code modification
- Full audit logs retained for 12 months
✶ Responsible disclosure
Found a vulnerability?
We are grateful to security researchers who responsibly disclose vulnerabilities. If you believe you have found a security issue in HiringScout, please report it to us before making it public.
We commit to: acknowledging your report within 48 hours, providing a status update within 7 days, working to resolve confirmed vulnerabilities within 30 days of confirmation, and crediting you (with your permission) once the issue is resolved.
How to report
security@hiringscout.com
Include in your report
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Your suggested remediation (if any)
We ask that you do not exploit the vulnerability, access user data beyond what is needed to demonstrate the issue, or disclose publicly before we have addressed it.