Physical security
Last reviewed 2026-05-17
Scope
HiringCoachAI is fully remote; we operate no first-party data centers, offices, or on-premises infrastructure. Physical security therefore focuses on personnel endpoints (laptops, mobile devices, authenticators) and our upstream providers.
Hardware supply-chain scope
HiringCoachAI is a cloud-hosted SaaS product. We do not manufacture, sell, lease, ship, or manage customer hardware, telecommunications equipment, physical appliances, embedded devices, or export-controlled computing devices. Institutions do not install HiringCoachAI hardware or agents.
Personnel laptops, mobile devices, and authenticators are treated as endpoints rather than product hardware. Their hardening, loss/theft, and disposal requirements are documented below and in acceptable use. Production cloud hardware supply-chain controls are managed by our infrastructure providers under their own audited programs.
Upstream physical security
All production data resides in Google Cloud Platform and Vercel. Google Cloud data centers are audited against ISO 27001/17/18/701, SOC 1/2/3, Payment Card Industry Data Security Standard (PCI DSS), HIPAA, and FedRAMP High. Vercel is SOC 2 Type II attested. We rely on these providers' published physical controls and incorporate them by reference; cert links are maintained on hiringcoach.ai/trust.
Personnel endpoints
All personnel (employees, contractors, interns) comply with:
Device hardening
- Full-disk encryption mandatory: FileVault (macOS), BitLocker (Windows), LUKS (Linux). Verified at onboarding.
- Automatic screen lock ≤ 10 minutes of idle.
- Login password + biometric (Touch ID / Windows Hello / equivalent).
- OS auto-updates enabled; security patches applied within 14 days of release as the operational target. Patches that cannot be applied within the target window — for example, because the vendor patch breaks tooling required for the work — are handled as a time-bound exception under the patch management exception process.
- Browser auto-updates enabled.
- Reputable anti-malware active (Defender on Windows; XProtect + Gatekeeper on macOS; clamav or similar on Linux).
Mobile device hardening (if used for work)
- Device PIN ≥ 6 digits or biometric.
- Find-my-device enabled.
- Work email / 2FA apps (Google Authenticator, 1Password, Authy) pinned behind device unlock.
Physical handling
- Devices not left unattended in public spaces (cafes, co-working spaces).
- Screen privacy filter recommended in shared spaces.
- No unknown / untrusted USB drives.
- Devices locked or powered off when traveling.
Authenticators
- Hardware keys (YubiKey) encouraged for the Security Officer and admins; stored physically secured when not in use.
- TOTP apps (1Password, Authy, Google Authenticator) protected behind device unlock + app-level PIN where available.
Loss / theft procedure
If a work device or hardware authenticator is lost or stolen:
1. Within 1 hour of discovery: notify the Security Officer. 2. Remote wipe: Find-my (Apple/Google), Windows "Remote Lock", or Google Workspace MDM. 3. Revoke all sessions from the affected device (audit log → force sign-out; rotate OAuth refresh tokens for the user). 4. Rotate any credential the device may have cached. 5. File a police report if theft; include report number in the incident post-mortem. 6. Evaluate whether personal data was accessible on the device: if yes, treat as potential breach per breach notification.
Visitor / office access
N/A: no offices.
Disposal of media
- Before disposing of any device that held HiringCoachAI data or credentials: full secure wipe (cryptographic erase on encrypted drives is acceptable) or physical destruction.
- Disposal is logged in the restricted device-disposal evidence set with date, device type, and method.
- Cloud-stored data disposal is Google/Vercel's responsibility per their certifications.
MDM
Endpoint device hygiene is enforced by acknowledgement at onboarding and verified at each internal audit.