Information security policy
Last reviewed 2026-05-18
1. Purpose
This policy establishes HiringCoachAI's commitment to the confidentiality, integrity, and availability of the data we process on behalf of our users and customers. It forms the umbrella under which every other security, privacy, and operational policy in docs/compliance/ is authorized.
2. Scope
All personnel (employees, contractors, interns), all systems operated by HiringCoachAI (Vercel, Firebase/GCP, Stripe, SendGrid, third-party AI providers), all data processed by the service, and any third party with access to customer data.
3. Principles
We align our security program with the NIST Cybersecurity Framework 2.0 (Govern / Identify / Protect / Detect / Respond / Recover) and the CIS Critical Security Controls v8 Implementation Group 1 (IG1). See the NIST CSF 2.0 mapping and the CIS Controls v8 IG1 mapping.
Core principles:
1. Least privilege. Every person, service, and system gets only the access needed to perform its role. 2. Defense in depth. No single control is trusted to be sufficient. Network, application, data, and identity controls are layered. 3. Default deny. Our Firestore rules, API authorization, and cloud IAM all start from "deny everything" and explicitly allow. 4. Secure by default. New features are expected to ship with authorization, input validation, and audit logging already wired. 5. Privacy by design. We collect the minimum data needed, encrypt it at rest and in transit, and give users meaningful control over it. 6. Continuous improvement. Quarterly internal audits, annual policy reviews, ongoing threat modeling.
4. Roles and responsibilities
Current state: the company principal serves as Security Officer, Privacy Officer / data-protection contact, and Accessibility Lead. Sensitive-system access is limited to approved personnel under the access-control and background-check policies.
| Role | Held by | Responsibilities |
|---|---|---|
| Security Officer | Founder | Owns this policy, approves exceptions, leads incident response, quarterly internal audit |
| Privacy Officer / data protection contact | Founder | Privacy inquiries, DSR handling, breach notifications, sub-processor register |
| Accessibility Lead | Founder | Accessibility contact ownership, VPAT / ACR maintenance, accessibility feedback triage, remediation coordination |
| Engineering | Engineering personnel | Implements controls; PR review; secure-coding; vulnerability remediation |
| All personnel | Anyone with approved access | Follow acceptable use as applicable; complete access-appropriate training; report suspected incidents |
5. Policy framework
The following sub-policies are part of this program and binding on all personnel:
- Access control (access control policy)
- Acceptable use (acceptable use)
- Data classification (data classification)
- Data retention (data retention policy)
- Change management (change management)
- SDLC (secure development lifecycle)
- Patch management (patch management)
- Incident response (incident response)
- Breach notification (breach notification)
- Business continuity (business continuity plan)
- Disaster recovery (disaster recovery plan)
- Vendor risk management (vendor risk management)
- AI use (AI use disclosure)
- Physical security (physical security)
- Security awareness & training (security awareness training)
- Background checks (background checks)
- Internal audit (internal audit program)
6. Compliance and exceptions
Exceptions to this policy require written approval from the Security Officer, must have a time-bound expiry (≤90 days), and are tracked in the internal exceptions register.
7. Enforcement
Violations are investigated by the Security Officer and may result in access revocation, employment consequences, or legal action depending on severity.
8. Review
This policy is reviewed at least annually. Material changes are communicated to all personnel via email and acknowledged in writing (email reply or e-signature).