Deployment model
Last reviewed 2026-05-18
Summary
HiringCoachAI is delivered exclusively as a multi-tenant cloud-hosted online job application management platform that helps individuals draft application materials, craft pitches, and prepare for interviews using AI-assisted tools. The application is hosted on Vercel and uses Google Cloud Platform / Firebase for authentication, Firestore, backup/export storage, Cloud Tasks, and Text-to-Speech. Public traffic for hiringcoach.ai is currently proxied through Cloudflare DNS / edge before reaching Vercel.
We do not offer on-premises, private-cloud, air-gapped, or customer-managed deployments.
Hosting
- Application runtime: Vercel (Next.js, Edge Middleware, Serverless Functions)
- Data tier: Google Firebase (Firestore, Authentication, Cloud Storage for backup/export and platform-managed function source buckets; user file uploads are not live in production yet)
- Region (default): United States (Firestore US multi-region; backup/export buckets US multi-region; Vercel global edge with US-preferred execution)
- EU / other regions: Not part of the standard production deployment. Institution-specific geographic storage requirements can be separately scoped for enterprise deployments using cloud-provider regional controls, with transfer review and customer-agreement terms completed before implementation.
HIPAA applicability
HiringCoachAI is a career and job-search coaching platform. It does not:
- Solicit, collect, store, or process Protected Health Information (PHI)
- Serve as a Business Associate under HIPAA
- Receive electronic Protected Health Information (ePHI) from any customer
We therefore do not execute Business Associate Agreements (BAAs). If a buyer's use case involves PHI, we require them to sanitize such data before upload. Our Terms of Service prohibit PHI submission.
The full HECVAT 4.1.5 "HIPAA Compliance" tab (HIPA-01 through HIPA-29) is marked Not Applicable with this document cited as justification.
On-premises applicability
HiringCoachAI does not offer an on-premises, private-cloud, air-gapped, customer-managed, appliance, or agent-based deployment. Institutions do not host or operate HiringCoachAI systems, and they do not need inbound firewall exceptions for HiringCoachAI personnel to administer systems in the institution's environment.
The HECVAT 4.1.5 "On-Premises Data Solutions" section (OPEM-*) is answered Not Applicable where questions are conditional on institution-hosted systems or remote management of customer environments. General questions in that section about administration model, architecture, monitoring, business history, and higher-education customers are answered directly.
Consulting services
We do not currently offer paid professional services or consulting engagements. The HECVAT "Consulting Services" tab (CONS-*) is marked Not Applicable.
Payment Card Industry Data Security Standard (PCI DSS) scope
Payment card data, including primary account number (PAN), card verification value (CVV), and card-track data, is never received, processed, transmitted, or stored by HiringCoachAI infrastructure. All card capture occurs in Stripe-controlled Checkout, Elements, or Payment Element flows inside the user's browser; Stripe tokenizes the payment method and HiringCoachAI receives only opaque customer, subscription, payment, and billing-state identifiers.
Our applicable Payment Card Industry Data Security Standard (PCI DSS) scope is Self-Assessment Questionnaire A (SAQ-A) because card capture is fully hosted by Stripe. Stripe holds a Level 1 PCI DSS Attestation of Compliance for the cardholder data environment, and HiringCoachAI systems receive only opaque billing identifiers and status metadata.
FERPA
We do not today hold education records on behalf of any institution. HiringCoachAI is currently a consumer career platform; users may include education history in resumes, but that is user-provided career content rather than institution-maintained education records.
If a higher-ed customer deploys HiringCoachAI for student career services and shares or directs students to share institution-controlled education records, FERPA scope would need to be defined in a signed Data Processing Agreement before we claim a FERPA school-official role.
Tenancy
Multi-tenant. Tenant isolation is enforced by:
- Firestore Security Rules (default-deny; user-scoped reads/writes)
- Firebase Auth / NextAuth identity
- Binary admin vs. non-admin authorization in middleware and API handlers
Cross-tenant access is not allowed; a "tenant" today maps 1:1 to a user account and will map to organizations only if enterprise tenancy ships.
Summary table for HECVAT
| Deployment question | Answer |
|---|---|
| Multi-tenant cloud-hosted service? | Yes |
| On-prem / self-hosted option? | No |
| Single-tenant / dedicated? | No (multi-tenant) |
| Customer-managed infrastructure? | No |
| Handles PHI? | No (prohibited by ToS) |
| Handles cardholder data? | No (Stripe hosted) |
| Handles FERPA educational records? | No in the current production scope; only after institution-specific FERPA scope is defined in a signed DPA |