Enterprise-grade security controls

Your data is
protected by design.

SmplyHyre handles sensitive data — resumes, interview recordings, candidate assessments. We treat that responsibility seriously, with encryption, access controls, compliance frameworks, and a culture of security-first engineering.

Report a vulnerabilityPrivacy policy
Compliance

Frameworks and certifications.

SOC 2 Type IIIn progress

AICPA audit covering security, availability, and confidentiality. Expected Q4 2026.

GDPR CompliantActive

Full GDPR compliance with DPAs, SCCs, and a dedicated privacy officer.

ISO 27001Planned

Information security management system. Planned for 2027.

DPDPA ReadyActive

India's Digital Personal Data Protection Act 2023 compliance framework in place.

How we protect your data

Security in every layer.

Encryption everywhere

TLS 1.3 for all data in transit — no fallback to older protocols
AES-256 encryption for all data at rest (recordings, resumes, reports)
Interview session tokens signed with RS256 — cannot be forged or replayed
Database encryption with customer-specific key isolation
PDF scorecards encrypted before delivery

Infrastructure security

Hosted on AWS ap-south-1 (Mumbai) — data stays in India by default
VPC with private subnets — databases not exposed to the internet
Web Application Firewall (WAF) blocking common attack vectors
DDoS protection via AWS Shield Standard
Sandboxed Docker containers for code execution — no internet access, no host access
Automatic patches and OS updates across all infrastructure

Access controls

Role-based access control (RBAC) — least privilege principle enforced
MFA mandatory for all SmplyHyre employee accounts
HR users can only access their own organisation's data
Candidate data is isolated per interview session — no cross-session access
Admin actions (data deletion, plan changes) require 2FA re-authentication
Full audit log of all admin and HR actions retained for 1 year

Monitoring and response

Real-time security monitoring via AWS GuardDuty and CloudTrail
Anomaly detection on login patterns and API usage
Automated alerting for suspicious account activity
On-call security incident response 24/7
GDPR Art. 33 breach notification within 72 hours
Post-incident reports shared with affected customers within 5 business days

Penetration testing

Annual third-party penetration tests by certified security firms
Automated DAST scanning on every production deployment
OWASP Top 10 coverage in every security review
Findings tracked to remediation with SLAs by security severity

Anti-cheat security

Interview session links are single-use and expire after 2 hours
Camera presence verified via WebRTC — session paused if camera lost
Paste events timestamped and character-counted in an immutable log
Tab switch and window blur events logged with millisecond precision
Typing rhythm analysis compares live input against natural patterns
All anti-cheat events are included in the signed, tamper-evident PDF report
Data flow

Where your data lives.

Resume upload

Uploaded directly to encrypted AWS S3. Parsed by our AI in a sandboxed environment. Never stored in plain text.

Live session

WebRTC video is peer-to-peer encrypted. Code execution runs in isolated Docker containers with no internet access.

Scorecard & reports

Generated in a private compute environment. PDF is AES-256 encrypted at rest. Delivered over TLS 1.3. Deleted per retention schedule.

Bug bounty

Responsible disclosure program.

We welcome security researchers who responsibly disclose vulnerabilities. If you find a security issue in SmplyHyre, please report it to us — we\'ll acknowledge your report promptly and work to fix it.

Report to
security@smplyhyre.com

Please include: reproduction steps, impact assessment, and your contact information. We ask for 90 days to remediate before public disclosure.

Response SLA by severity

CriticalAcknowledge in 24 hours
HighAcknowledge in 72 hours
MediumAcknowledge in 7 days
LowAcknowledge in 30 days

We do not pursue legal action against researchers who follow responsible disclosure guidelines.

Have a security question?

Enterprise customers can request our full security documentation, penetration test reports, and DPA on request.

security@smplyhyre.comPrivacy policy