HiringCoachAI

Glossary

Last reviewed 2026-05-18

A reference for the acronyms and terms used in HiringCoachAI's HECVAT responses, compliance documents, and trust-center pages. Aimed at any reasonable reader: security analysts, procurement, legal, and other reviewers. Listed alphabetically within each section.

Authentication, authorization, identity

  • AAAI: *Authentication, Authorization, and Account Management

Information* (HECVAT 4.1.5 question family).

  • CAS: Central Authentication Service. A web SSO protocol common

in higher education.

  • eduGAIN / InCommon: federations of higher-ed Identity Providers.

Membership lets a SaaS vendor accept SAML/OIDC sign-ins from any member institution.

  • JWT: JSON Web Token. A signed, base64-URL-encoded credential

used to carry session state for authenticated users.

  • MFA: Multi-Factor Authentication. Sign-in requires both a

password (or magic link) AND something else (TOTP code, hardware key, etc.).

  • OAuth 2.0: the authorization framework underneath modern

social-login flows.

  • OIDC: OpenID Connect. An identity layer built on OAuth 2.0;

what most modern "Sign in with Google" buttons use.

  • RBAC / ABAC / PBAC: Role- / Attribute- / Policy-based access

control. Three patterns for deciding who is allowed to do what.

  • SAML 2.0: Security Assertion Markup Language. The XML-based SSO

protocol used by most enterprise IdPs (Okta, Azure AD, Ping, etc.).

  • SCIM: System for Cross-Domain Identity Management. A standard

that lets an enterprise IdP push user provisioning/deprovisioning to a SaaS automatically.

  • SSO: Single Sign-On. One identity provider authenticates the

user; multiple downstream apps trust that assertion.

  • TOTP: Time-based One-Time Password (RFC 6238). Six-digit codes

rotating every 30 seconds, generated by an authenticator app (Google Authenticator, Authy, 1Password, etc.).

Data and privacy law

  • CCPA / CPRA: California Consumer Privacy Act / California Privacy

Rights Act. The two California state-law privacy regimes (CPRA amends and extends CCPA).

  • DPA: Data Processing Agreement. The contract between a

controller (the customer) and a processor (us) that binds the processor to GDPR-style obligations.

  • DPIA: Data Privacy Impact Assessment. A documented review of

a feature's privacy risks. GDPR Art. 35 requires one for high-risk processing.

  • Privacy Officer / data-protection contact: The role accountable

for the privacy program; required by GDPR Art. 37 in some cases.

  • DSR: Data Subject Request. A GDPR/CCPA right exercised by an

individual to access, correct, delete, or export their data. Also called DSAR (Data Subject Access Request).

  • FERPA: Family Educational Rights and Privacy Act. US law

protecting student educational records.

  • GDPR: General Data Protection Regulation. EU privacy law.
  • GPC: Global Privacy Control. A browser-side header /

navigator API that signals an opt-out preference under CCPA/CPRA.

  • IDTA: International Data Transfer Addendum. The UK's

equivalent of EU SCCs, used in addition to or instead of SCCs for UK→US data transfers.

  • PII: Personally Identifiable Information.
  • PHI: Protected Health Information (HIPAA-regulated).
  • PIPL: Personal Information Protection Law. China's

comprehensive data-protection statute (effective 2021).

  • SCCs: Standard Contractual Clauses. EU-approved contract

templates for transferring personal data outside the EEA. The 2021 set has Module 1 (controller→controller), Module 2 (controller→processor), Module 3 (processor→processor), and Module 4 (processor→controller).

  • TIA: Transfer Impact Assessment. A documented review of the

legal environment in the destination country, required to support SCC reliance under the Schrems II ruling.

  • UK GDPR: UK-domestic version of GDPR retained post-Brexit.

Security: standards, audits, frameworks

  • AoC: Attestation of Compliance. The formal output of a PCI DSS

or SOC 2 audit.

  • CIS Controls / IG1: Center for Internet Security Critical

Security Controls v8. Implementation Group 1 is the foundational 56-safeguard baseline.

  • HECVAT: Higher Education Community Vendor Assessment Toolkit.

EDUCAUSE-published security questionnaire used by colleges and universities.

  • NIST CSF: *National Institute of Standards and Technology

Cybersecurity Framework*. The current version is 2.0; we map our controls to its functions (Govern, Identify, Protect, Detect, Respond, Recover).

  • NIST SP 800-63B: NIST's Digital Identity Guidelines. We follow

its password-strength guidance (no forced rotation, breach-list check, no character-class rules).

  • NIST SP 800-88: NIST's Guidelines for Media Sanitization. The

US-government standard for irreversibly wiping storage media.

  • PCI DSS: Payment Card Industry Data Security Standard.
  • RoC: Report on Compliance (PCI). The full audit report; SAQ

is the simpler self-assessment used by smaller merchants.

  • SAQ-A: Self-Assessment Questionnaire A, the simplest PCI DSS self-assessment,

applicable to e-commerce merchants who fully outsource card capture to a PCI-validated third-party processor (e.g., Stripe). Cardholder data: primary account number (PAN), card verification value (CVV), and card-track data: never reaches the merchant's systems.

  • SOC 2 Type II: Service Organization Control attestation

produced by an external CPA firm. "Type II" means the auditor observed controls operating over a 6+ month period (Type I is a point-in-time attestation).

  • SSAE 18: the AICPA standard SOC reports are issued under.

Application security & infrastructure

  • CDN: Content Delivery Network. A network of edge servers that

caches static assets close to the user.

  • CGNAT: Carrier-Grade NAT. Shared-IP space (100.64.0.0/10) used

by some ISPs.

  • CMEK: Customer-Managed Encryption Keys. Encryption keys held

in the customer's KMS rather than the SaaS provider's.

  • COOP / CORP: Cross-Origin-Opener-Policy /

Cross-Origin-Resource-Policy. HTTP response headers that isolate browsing contexts and block unauthorized embeds.

  • CSP: Content Security Policy. An HTTP response header that

tells the browser which scripts/styles/etc. are allowed to load.

  • CSRF: Cross-Site Request Forgery. An attack where a malicious

site tricks a logged-in user's browser into sending a state-changing request.

  • DAST: Dynamic Application Security Testing. Black-box scanner

that runs against a deployed app (e.g., OWASP ZAP).

  • DDoS: Distributed Denial of Service.
  • DLP: Data Loss Prevention.
  • HSTS: HTTP Strict Transport Security. Header that locks

browsers to HTTPS for a domain.

  • IDS / IPS: Intrusion Detection / Prevention System.
  • JML: Joiner / Mover / Leaver. The HR-driven account

provisioning lifecycle.

  • APT: Advanced Persistent Threat. A targeted, long-dwell-time

attacker pattern. Detection typically requires MDR, EDR, or SIEM tooling.

  • PITR: Point-In-Time Recovery. Roll a database back to an

arbitrary moment within a retention window.

  • RFC 1918: the IETF spec defining private IPv4 ranges

(10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).

  • SAST: Static Application Security Testing. White-box analysis

of source code (e.g., Semgrep, CodeQL).

  • SBOM: Software Bill of Materials. A machine-readable list of

every package and version in a build (CycloneDX or SPDX format).

  • SPI: Stateful Packet Inspection firewall.
  • SSRF: Server-Side Request Forgery. An attacker tricks the

server into making a request to an internal URL it shouldn't reach.

  • TLS: Transport Layer Security. The cryptographic protocol

underneath HTTPS.

  • WAF: Web Application Firewall. A reverse-proxy layer that

inspects and blocks malicious HTTP requests.

  • XSS: Cross-Site Scripting. An attack where an attacker

injects JavaScript into a page another user views.

AI

  • AI: Artificial Intelligence. In our context, almost always

refers to LLMs and ML-based features.

  • HIBP: Have I Been Pwned. A breach-credential dataset queried

via a k-anonymity prefix lookup during password set or change to reject known-breached passwords.

  • k-anonymity: a privacy-preserving query technique. The client

sends the first 5 characters of a SHA-1 hash; HIBP returns all hash suffixes sharing that prefix; the client checks locally without revealing the full hash to the server.

  • LLM: Large Language Model. Text-completion models like

OpenAI's GPT family.

  • ML: Machine Learning.
  • OWASP Top 10: the canonical list of the most common application

vulnerability classes, maintained by OWASP.

  • RAG: Retrieval-Augmented Generation. An LLM pattern where the

prompt is augmented with documents retrieved from a knowledge base.

  • RLHF: Reinforcement Learning from Human Feedback. A

model-alignment technique used by major LLM vendors during training.

  • STT / TTS: Speech-to-Text / Text-to-Speech.
  • ZDR: Zero Data Retention. A vendor-side configuration where

the AI provider does not store or log prompt or completion data. Requires a contractual amendment with most providers.

Other

  • AoR: Area of Responsibility.
  • Bucket Lock: Google Cloud Storage feature that makes a bucket's

retention policy immutable, even by the project owner.

  • DPA register: an internal contractual register tracking the

source and verification status of each sub-processor's data-protection terms. Distinct from the DPA template HiringCoachAI offers to customers; the template is published on the trust center.

  • VPAT / ACR: Voluntary Product Accessibility Template /

Accessibility Conformance Report. The standard format for declaring conformance to WCAG / Section 508.

  • WCAG: Web Content Accessibility Guidelines. Versions 2.1 and

2.2 are the current AA/AAA standards.

Change log

DateChange
2026-05-01Initial glossary published.
2026-05-18Registered for public rendering on the trust center.

← Back to the trust center

showUpgradeModal: false, modalType: migration, planName: