Trust & Compliance

Security at HireScope

HireScope is built for staffing agencies and in-house talent teams who handle sensitive job and candidate-adjacent data. This page summarizes how we protect customer data, who our sub-processors are, and where we are on our compliance roadmap. If anything here is unclear for your security review, contact us at the address below — we'll respond within two business days.

Data protection

  • All traffic encrypted in transit via TLS 1.2+.
  • Customer data encrypted at rest by our managed database provider (AES-256).
  • Row-Level Security (RLS) policies enforce per-user and per-organization isolation at the database layer.
  • The privileged service-role key is used only inside server-side functions and never exposed to the browser.
  • Administrative actions on customer accounts are written to an immutable audit log accessible only to platform super-admins.

Access control

  • Customer authentication via email/password and Google OAuth, with optional SAML SSO for enterprise customers.
  • Role-based access inside organizations: owner, admin, member. Roles are enforced server-side, never trusted from the client.
  • Internal platform access is restricted to a small set of named super-admin accounts.
  • Production secrets are stored in a managed secret store; no secrets live in source control.

Sub-processors

HireScope relies on the following sub-processors to deliver the service. We have data protection terms in place with each vendor and review them periodically.

VendorPurposeData sharedRegion
SupabaseDatabase, authentication, file storageAccount profile, audit history, organization dataUnited States (default)
CloudflareApplication hosting, edge runtimeRequest metadata, IP addressesGlobal edge
StripeSubscription billingEmail, billing address, payment method (tokenized)United States / EU
Lovable AI GatewayLLM inference for auditsJob posting text submitted for analysisUnited States
FirecrawlURL scraping for job posting fetchSubmitted job posting URLsUnited States
SemrushKeyword and SEO market dataJob titles and locations (no PII)United States

Compliance roadmap

HireScope is a growing platform and we're transparent about where we stand:

  • SOC 2 Type I — audit targeted for Q3 2026.
  • SOC 2 Type II — observation window beginning post-Type I; report targeted for Q2 2027.
  • GDPR — we offer a Data Processing Agreement (see /dpa) and honor data subject rights described in our Privacy Policy.
  • EU data residency — available on Enterprise plans on request.
  • SAML SSO — available on Enterprise plans; contact sales to configure.

Vulnerability disclosure

If you've found a security issue, please email security@hire-scope.io with steps to reproduce. We'll acknowledge within two business days and aim to remediate critical issues within seven days. Please do not publicly disclose before we've had a chance to respond.

Last updated: 7/19/2026