Security at HireScope
HireScope is built for staffing agencies and in-house talent teams who handle sensitive job and candidate-adjacent data. This page summarizes how we protect customer data, who our sub-processors are, and where we are on our compliance roadmap. If anything here is unclear for your security review, contact us at the address below — we'll respond within two business days.
Data protection
- All traffic encrypted in transit via TLS 1.2+.
- Customer data encrypted at rest by our managed database provider (AES-256).
- Row-Level Security (RLS) policies enforce per-user and per-organization isolation at the database layer.
- The privileged service-role key is used only inside server-side functions and never exposed to the browser.
- Administrative actions on customer accounts are written to an immutable audit log accessible only to platform super-admins.
Access control
- Customer authentication via email/password and Google OAuth, with optional SAML SSO for enterprise customers.
- Role-based access inside organizations: owner, admin, member. Roles are enforced server-side, never trusted from the client.
- Internal platform access is restricted to a small set of named super-admin accounts.
- Production secrets are stored in a managed secret store; no secrets live in source control.
Sub-processors
HireScope relies on the following sub-processors to deliver the service. We have data protection terms in place with each vendor and review them periodically.
| Vendor | Purpose | Data shared | Region |
|---|---|---|---|
| Supabase | Database, authentication, file storage | Account profile, audit history, organization data | United States (default) |
| Cloudflare | Application hosting, edge runtime | Request metadata, IP addresses | Global edge |
| Stripe | Subscription billing | Email, billing address, payment method (tokenized) | United States / EU |
| Lovable AI Gateway | LLM inference for audits | Job posting text submitted for analysis | United States |
| Firecrawl | URL scraping for job posting fetch | Submitted job posting URLs | United States |
| Semrush | Keyword and SEO market data | Job titles and locations (no PII) | United States |
Compliance roadmap
HireScope is a growing platform and we're transparent about where we stand:
- SOC 2 Type I — audit targeted for Q3 2026.
- SOC 2 Type II — observation window beginning post-Type I; report targeted for Q2 2027.
- GDPR — we offer a Data Processing Agreement (see /dpa) and honor data subject rights described in our Privacy Policy.
- EU data residency — available on Enterprise plans on request.
- SAML SSO — available on Enterprise plans; contact sales to configure.
Vulnerability disclosure
If you've found a security issue, please email security@hire-scope.io with steps to reproduce. We'll acknowledge within two business days and aim to remediate critical issues within seven days. Please do not publicly disclose before we've had a chance to respond.
Last updated: 7/19/2026