Trust

Trust & Security

Last updated 25 May 2026.

A plain-English summary of the security practices behind CandidHQ. For the legal detail, see our Privacy Policy and Data Processing Agreement.

Data residency

  • Primary database and file storage: Supabase, eu-west-2 (London).
  • Error reporting: Sentry, EU (Frankfurt).
  • Application compute: Vercel on the Pro plan, function region pinned to London (lhr1). Edge caches are global.
  • The candidate AI prep assistant calls Anthropic in the United States. That single hop is covered by Standard Contractual Clauses; nothing else leaves the EU on the application path.

Encryption

  • All traffic uses TLS 1.2+ with HSTS enabled and a two-year max-age.
  • Data at rest in Supabase Postgres and Storage is encrypted with AES-256.
  • Secrets are stored in Vercel's encrypted environment variable system, never in source.

Access control

  • Every tenant-scoped table has row-level security enabled at the database layer. A recruiter user cannot read or write another company's rows even if the application layer has a bug.
  • Service-role database access is restricted to server-side code and is never exposed to the browser.
  • Recruiter team roles (owner, admin, member) gate destructive actions through a single role-checking module rather than scattered string comparisons.
  • Candidate portals are accessed by a per-portal magic token; the token is rotated on demand and portals can be expired by the recruiter at any time.

Auditing

  • Every state-changing admin action writes an entry to a tamper-evident audit log including actor, target, IP, user agent, and timestamp.
  • Audit failures are reported to Sentry so they cannot be silently dropped.
  • Stripe webhook events are signature-verified and processed on the Node runtime with the raw body intact.

Application hardening

  • A Content Security Policy restricts script, style, frame, and connect origins. frame-ancestors 'none' plus X-Frame-Options: DENY prevent clickjacking.
  • Permissions-Policy denies camera, microphone, geolocation, payment, USB, and FLoC.
  • Rate limits on candidate-facing endpoints (per-IP, per-portal, per-day, per-lifetime).
  • All user-supplied HTML is sanitised through an allowlist before render or storage.
  • All form inputs are validated through Zod schemas at the server-action boundary.

AI assistant safety

  • The candidate prep assistant is grounded only in content the recruiter put on the portal.
  • It is instructed to refuse off-topic requests, salary negotiation, and questions about other candidates.
  • Per-portal and per-IP rate limits cap how often it can be invoked.
  • A combined monthly AI spend cap per customer prevents runaway cost from abuse.
  • Anthropic does not train on API inputs; the company-supplied terms cover that explicitly.

Data minimisation

We deliberately do not store CVs, phone numbers, postal addresses, dates of birth, salary expectations, demographic data, or any special-category data (health, race, religion, biometric). CandidHQ's candidate data footprint is materially smaller than a typical Applicant Tracking System. See the Privacy Policy for the exact list.

Retention

  • Candidate portal data is automatically purged 365 days after portal expiry by default. Recruiter customers can configure a shorter window inside the admin.
  • Account data for cancelled recruiter accounts is deleted within 90 days.
  • Audit logs are kept for 24 months; billing records for 7 years to meet UK tax law.

Right to erasure (DSAR)

Recruiters have a one-click export and delete inside the admin for any candidate record. Candidates can request access or erasure directly via the recruiter, or by writing to privacy@candidhq.tech; we respond within 30 days.

Incident response

  • Runtime errors are captured by Sentry with PII scrubbing; on-call review is part of the working week.
  • In the event of a personal-data breach, we will notify affected recruiter controllers within 72 hours of becoming aware, with the facts, scope, mitigations, and contact information required for them to meet Art. 33 UK GDPR.
  • Stripe and Supabase incidents are monitored via their respective status pages.

Backups & recovery

  • Database point-in-time recovery is provided by Supabase, retained for 7 days on our current plan.
  • File storage is replicated by Supabase's underlying provider.

Certifications & assurance

CandidHQ is registered with the UK Information Commissioner's Office under registration number C1941533 (verifiable on the ICO public register). We are progressing toward Cyber Essentials and SOC 2 Type I during 2026; current status is available on request via privacy@candidhq.tech. Sub-processor certifications (Supabase SOC 2 Type II, Vercel SOC 2 Type II, Stripe PCI DSS Level 1) are inherited at the platform layer.

What we have not yet done

Transparency is part of the security posture. As of 25 May 2026: we have not yet completed an external penetration test, do not yet hold an independent SOC 2 report, and do not yet offer SSO/SAML or customer-managed encryption keys. These are on the roadmap and we will update this page as each lands. Customers with specific requirements can write to privacy@candidhq.tech.

Responsible disclosure

If you believe you have found a security vulnerability, please report it to security@candidhq.tech. We acknowledge reports within 2 business days and aim to triage within 5. We do not run a paid bug bounty today, but we credit researchers (with consent) on a hall-of-fame page once we publish one.

See also: Privacy Policy, Data Processing Agreement, Sub-processors.