HiringCoachAI

Security overview

Last reviewed 2026-04-24

Public-facing summary of our security program.

How we protect your data

HiringCoachAI runs a layered security program aligned with the NIST Cybersecurity Framework 2.0 and the CIS Critical Controls v8 Implementation Group 1. Full policy text is published in the trust center documentation catalog.

Infrastructure

  • Hosting: Google Cloud Platform (Firebase) and Vercel: both SOC 2 Type II attested; Google additionally holds ISO 27001/17/18/701, Payment Card Industry Data Security Standard (PCI DSS) Level 1, HIPAA, and FedRAMP High.
  • Region: United States by default.
  • Network: HTTPS is required; HSTS and security headers are applied. Cloudflare provides public DNS and reverse-proxying for hiringcoach.ai; the Cloudflare edge minimum TLS version is TLS 1.2 with TLS 1.3 enabled. Archived Cloudflare API evidence lists the Cloudflare Managed Free Ruleset and L7 DDoS ruleset for the zone; Vercel platform protection and automatic DDoS mitigation also apply.

Encryption

  • In transit: HTTPS/TLS is required for browser-to-application traffic and managed service connections. HSTS, Content Security Policy, and other security headers are applied to responses.
  • At rest: platform-level encryption by Google Cloud (AES-256).
  • Field-level: AES-256-GCM application-side encryption is used for selected Restricted-class fields, including LinkedIn OAuth session cookies and TOTP authenticator secrets.

Key management

  • Platform encryption keys: at-rest encryption for Firestore and Cloud Storage is managed by Google Cloud's encryption service; HiringCoachAI does not custody these keys.
  • Application-side encryption keys: the AES-256-GCM key used for field-level encryption of Restricted-class data is stored as a protected secret in the hosting platform's environment-variable store; only server-side runtime code reads it.
  • Rotation: application-side encryption keys follow the secrets-rotation cadence in the information security policy (target 90 days); rotation supports a fallback-decrypt key during the rotation window so existing ciphertext remains readable.
  • Customer-managed encryption keys (CMEK): the standard deployment uses Google-managed keys; CMEK for Firestore is available on enterprise engagement.
  • Compromise response: suspected key compromise is handled as a Sev 1 incident per the incident response and breach notification policies, including rotation of the affected key, re-encryption of impacted ciphertext, and rotation of any downstream provider credentials whose access could have been derived.

Identity and access

  • Customers: passwordless magic-link sign-in by default; OAuth via Google, LinkedIn, and Facebook. OAuth account association avoids silent same-email linking based only on unverified provider email claims; those cases use email-confirmed recovery before the provider is connected. TOTP-based application-level multi-factor authentication is available as an opt-in setting on /account Security (RFC 6238 authenticator apps; one-time backup codes; AES-256-GCM at rest).
  • Administrators: current administrative accounts are required by policy to use Google Account MFA at the identity-provider layer. Server-side admin authorization checks are enforced on every protected API route, and administrators may also enroll in application-level TOTP MFA on /account/security.
  • Least privilege: authorization is binary at the application layer (administrator vs. non-administrator); customers receive user-scoped access enforced in API routes and Firestore Security Rules. Granular role-based access is available on enterprise engagement.
  • Administrative access: server-side admin authorization is enforced on every protected API route. Current administrative accounts are required by policy to use Google Account MFA at the identity-provider layer. Admin actions on selected endpoints are recorded in the append-only audit log; see the access control policy and logging & retention.

Application security

  • Firestore Security Rules with user-scoped reads and writes; documents not explicitly allowed are denied.
  • Output sanitization for rendered user-provided HTML.
  • CSRF protection via NextAuth; origin checks on mutating endpoints.
  • Rate limiting on selected high-risk endpoints (signup, writer/generate, writer/revise, AI feedback).
  • Safe outbound HTTP: requests to user-controlled URLs are routed through an SSRF-blocking helper that rejects private CIDRs and cloud-metadata IPs; local compliance checks and the scheduled/manual security workflow confirm new code uses the helper. See the secure development lifecycle.

Monitoring and response

  • Error monitoring: Sentry with sendDefaultPii: false; beforeSend strips request cookies, auth headers, query strings, and sensitive extra/context keys before ingest.
  • Audit logging: append-only auditLog collection for selected account, session, AI feedback, cookie-consent, administrative actions, and NextAuth sign-in/sign-out events; 2-year retention is enforced by the data-retention cron.
  • Alerts: on high-severity errors, failed payments, and status probes.
  • Incident response: documented runbook; 72-hour regulator-notification SLA documented in breach notification (process commitment).

Independent assessments

HiringCoachAI does not currently hold a SOC 2 Type I or Type II attestation, and no external third-party penetration test has been conducted in the most recent lookback period. The current program is supported by:

  • The documented policy set across this trust center
  • Mappings to NIST CSF 2.0 and CIS Critical Controls v8 IG1
  • A quarterly internal audit program with dated records
  • Internal application-security testing: SAST (Semgrep, CodeQL), SCA (Dependabot, npm audit), SBOM generation, authenticated pre-release DAST smoke, and unauthenticated OWASP ZAP baseline
  • The HECVAT 4.1.5 evidence bundle available on request via [email protected]

Additional independent assessment requests can be scoped through the DPA template §13.

Backups and resilience

  • Google Cloud provides platform durability and encryption for Firestore and Cloud Storage.
  • Live GCP review on 2026-05-07 confirmed Firestore PITR, managed daily Firestore backups with 98-day retention, and a separate US multi-region backup/export bucket with versioning, 90-day soft delete, and a 90-day retention policy.
  • Restore drills are a documented commitment; a targeted Firestore PITR drill and synthetic safe local restore drill are archived, with additional recovery exercises tracked in the disaster-recovery plan.

AI safety

  • Per-request controls minimize provider storage or transcript exposure where supported (store: false on OpenAI, redact=true on Deepgram). Provider terms govern retention and no-training defaults.
  • Current safeguards rely on user review, AI-use disclosure, scoped AI features, and prompt-injection / jailbreak checks where enabled.
  • Prompt-injection and jailbreak detection are applied to AI requests when the safety-check option is enabled.
  • AI audit logs record only metadata (model, endpoint, token counts, timing); raw prompt and completion content are intentionally excluded. See the AI use disclosure and logging & retention.
  • AI bias-evaluation baseline completed 2026-05-07, and a 2026-05-14 remediation rerun cleared the configured thresholds. The methodology and current status are documented in the AI bias evaluation.

Responsible disclosure

Found a security issue? We welcome reports: [email protected]. Details and scope at /responsible-disclosure. We publish /.well-known/security.txt.

Compliance

  • HIPAA: PHI/ePHI handling is outside the contracted service scope, and PHI submission is prohibited by our Terms.
  • Payment Card Industry Data Security Standard (PCI DSS): payment card data is captured by Stripe directly and does not touch our systems. Our applicable PCI DSS scope is Self-Assessment Questionnaire A (SAQ-A) because card capture is fully hosted by Stripe. Stripe holds a Level 1 PCI DSS Attestation of Compliance for the cardholder data environment, and HiringCoachAI systems receive only opaque billing identifiers and status metadata.
  • FERPA: For higher-ed deployments involving education records, FERPA obligations are handled through the applicable customer agreement, DPA, and authorized data-processing scope.
  • GDPR / UK GDPR: we rely on 2021 EU SCCs and the UK IDTA for transfers where required; full rights at /privacy.
  • CCPA / CPRA: service-provider posture; no sale or sharing of personal information.

Further reading

  • Privacy Policy: /privacy
  • Cookie Policy: /cookies
  • Sub-processors: /sub-processors
  • AI Disclosure: /ai-disclosure
  • Accessibility: /accessibility
  • Responsible Disclosure: /responsible-disclosure
  • Trust Center: hiringcoach.ai/trust

Contact

[email protected]: security inquiries, responsible disclosure [email protected]: privacy requests, DSRs

← Back to the trust center

showUpgradeModal: false, modalType: migration, planName: