Security & Compliance

1. Data Encryption

1.1 In Transit

All data transmitted between your browser and our servers is encrypted using:

• TLS 1.3: The latest and most secure encryption protocol
• HTTPS Everywhere: All connections are encrypted, no exceptions
• Perfect Forward Secrecy: Each session uses unique encryption keys
• HSTS Enabled: Browsers automatically use secure connections

1.2 At Rest

All data stored in our systems is encrypted using:

• AES-256 Encryption: Military-grade encryption for database records
• Encrypted File Storage: All uploaded documents encrypted in Supabase Storage
• Encrypted Backups: Database backups are fully encrypted
• Key Management: Encryption keys securely managed and rotated regularly

2. Access Control

2.1 Authentication

• Secure Password Hashing: Passwords hashed using bcrypt with salt
• Email Verification: Required before account activation
• Password Requirements: Minimum length and complexity enforced
• Session Management: Secure token-based authentication
• Auto-Logout: Sessions expire after inactivity

2.2 Authorization

• Role-Based Access Control: Owner vs. Sub-User permissions
• Row Level Security (RLS): Database-level access controls
• Signed URLs: Temporary, expiring links for document access
• Organization Isolation: Complete data separation between organizations

3. Infrastructure Security

3.1 Hosting & Network

• Cloudflare Pages: Global CDN with DDoS protection
• Supabase: Enterprise-grade PostgreSQL with built-in security
• Multi-Region Redundancy: Data replicated across multiple locations
• Firewall Protection: Network-level security rules
• Rate Limiting: Protection against brute force and abuse

3.2 Monitoring & Logging

• Real-Time Monitoring: 24/7 system health and security monitoring
• Audit Logs: Complete record of all user actions and data access
• Intrusion Detection: Automated alerts for suspicious activity
• Error Tracking: Comprehensive error logging for rapid response

4. Compliance & Certifications

4.1 GDPR Compliance

NewHirely is fully compliant with the General Data Protection Regulation (GDPR) for EU users:

• Right to access, rectify, and delete personal data
• Data portability in machine-readable formats
• Privacy by design and by default
• Data Processing Agreements available
• Lawful basis for data processing clearly documented

4.2 SOC 2 Type II

We are working toward SOC 2 Type II certification, demonstrating our commitment to:

• Security: Protection against unauthorized access
• Availability: Service uptime and reliability
• Confidentiality: Protection of confidential information
• Privacy: Collection, use, retention, and disposal of personal information

4.3 HIPAA Considerations

For healthcare customers, NewHirely implements safeguards to support HIPAA compliance:

• Encrypted storage of Protected Health Information (PHI)
• Access controls and audit trails
• Business Associate Agreements (BAA) available upon request
• Regular security assessments and updates

5. Document Security

5.1 File Upload & Storage

• Virus Scanning: All uploaded files scanned for malware
• File Type Validation: Only approved file types accepted
• Secure Storage: Files stored in encrypted Supabase Storage buckets
• Access Control: Files accessible only to authorized users
• Signed URLs: 24-hour expiring links for secure viewing

5.2 Document Retention

• Documents retained while account is active
• 30-day grace period after account cancellation
• Permanent deletion after retention period
• Immediate deletion available upon request

6. Third-Party Security

We carefully vet all third-party integrations for security and compliance:

• DocuSign: SOC 2 Type II certified, legally binding e-signatures
• Gusto: SOC 2 compliant payroll and HR platform
• Supabase: Enterprise-grade database with built-in security
• Cloudflare: Industry-leading DDoS protection and WAF
• Stripe: PCI DSS Level 1 compliant payment processing

7. Incident Response

In the unlikely event of a security incident:

• Immediate Response: Security team notified within minutes
• Investigation: Rapid assessment and containment
• Customer Notification: Affected customers notified within 72 hours
• Remediation: Fixes implemented and systems hardened
• Post-Mortem: Incident review and prevention measures

8. Employee Security Practices

• Background Checks: All employees undergo background screening
• Security Training: Regular security awareness training
• Access Controls: Principle of least privilege for internal access
• Confidentiality Agreements: All staff sign NDAs and confidentiality agreements
• Device Security: Mandatory encryption and security software on work devices

9. Application Security

9.1 Secure Development

• Code Reviews: All code changes peer-reviewed
• Security Testing: Regular vulnerability scanning and penetration testing
• Dependency Management: Automated updates for security patches
• Input Validation: All user inputs sanitized and validated
• SQL Injection Prevention: Parameterized queries and ORM usage

9.2 Authentication Security

• Password strength requirements enforced
• Brute force protection with rate limiting
• Account lockout after failed login attempts
• Secure password reset with email verification
• OAuth support for Google and GitHub (coming soon)

10. Availability & Reliability

10.1 Uptime

• 99.9% Uptime SLA: We guarantee high availability
• Multi-Region Deployment: Redundancy across geographic regions
• Auto-Scaling: Infrastructure scales automatically with demand
• Health Monitoring: Continuous uptime and performance monitoring

10.2 Disaster Recovery

• Daily Backups: Automated database backups every 24 hours
• Point-in-Time Recovery: Restore to any point in last 30 days
• Backup Testing: Regular restoration tests to verify integrity
• Geographic Redundancy: Backups stored in multiple locations

11. Compliance Programs

• GDPR: Full compliance for EU customers
• CCPA: California Consumer Privacy Act compliance
• SOC 2: Working toward Type II certification
• HIPAA: Business Associate Agreements for healthcare customers
• PCI DSS: Compliant payment processing via Stripe

12. Security Best Practices for Users

We recommend you:

• Use a strong, unique password for your NewHirely account
• Enable two-factor authentication when available
• Never share your account credentials
• Log out when using shared or public computers
• Keep your contact email secure and monitored
• Report any suspicious activity to security@newhirely.com

13. Reporting Security Issues

If you discover a security vulnerability, please report it responsibly:

Security Team: security@newhirely.com
Response Time: We respond to security reports within 24 hours
Responsible Disclosure: Please allow us time to fix issues before public disclosure

14. Security Updates

We continuously improve our security posture. Updates to our security practices will be posted on this page with revision dates.