Trust
Security
Last updated: July 7, 2026
What we protect
Hireanex handles candidate data on behalf of hiring teams: contact details, resumes, interview audio and video, transcripts, and evaluation reports. Protecting that data is the product — a hiring platform that leaks candidate interviews has failed at its one job.
Encryption
Every connection uses TLS — the web app, the API, video calls, and recording playback. Data is encrypted at rest in the database (Neon Postgres) and in recording storage (Cloudflare R2). Database backups are additionally encrypted at the application layer before they leave the database provider.
Your data stays yours
- Every request is scoped to your organization — candidate data is partitioned per customer and never visible across organizations.
- Within your organization, role-based permissions apply: by default recruiters see only their own candidates; admins control per-role access.
- Report share links use unguessable tokens, support expiry, and are revoked when a candidate is deleted.
Recording with consent
A candidate cannot enter the interview room without explicitly consenting to being recorded — the check is enforced on the server, not just in the interface. Recordings live in a private bucket with no public access and playback uses short-lived signed URLs. Recordings are retained while your account is active; permanent deletion of a candidate's records is available on request, and all of your data is deleted within 30 days of account termination.
Account security
- Two-factor sign-in for every account: a password alone is never enough — signing in also requires a 6-digit code sent to the account holder's email.
- Passwords are hashed with bcrypt; signup and password reset require email verification with lockouts on repeated failures.
- Changing or resetting a password immediately signs out every other session — a stolen token dies with the old password.
- Deactivating a team member takes effect immediately, not when their session expires.
Backups you don't have to take on faith
The database supports point-in-time recovery. Every night we take an encrypted database dump, stored outside the database provider, and a second copy of all recordings in a separate backup bucket. The restore procedure isn't theoretical — we run restore drills and the last one passed in July 2026.
How we build
Every change runs through continuous integration: type-checked builds, an automated test suite that exercises the real API against real databases, and dependency vulnerability scanning. Production releases are gated on green CI. AI-generated scores are range-validated on the server before they are stored, and model inputs are hardened against prompt injection.
AI data handling
Interview transcripts, job descriptions, and candidate resumes are processed by Deepgram (speech-to-text) and by Anthropic Claude and Google Gemini (evaluation) via their commercial APIs. We have not opted in to any provider data-sharing or model-improvement program. AI output is decision support: the platform never auto-rejects anyone — your team records the verdict.
Who has access internally
Covitit Inc is a small company, and we say so plainly: production access is limited to the founding engineer, multi-factor authentication is enforced on every infrastructure account, and no third-party staff have access to customer data.
If something goes wrong
All services report to centralized error and latency monitoring with alerting. If we become aware of a breach affecting your data, we notify affected account holders by email without undue delay — and no later than 72 hours after we become aware. This commitment is in our Terms and in the DPA.
Compliance status, honestly
A GDPR/CCPA Data Processing Agreement is available for signature, and our privacy policy keeps a current list of subprocessors — account holders are emailed before that list changes. We are not yet SOC 2 or ISO 27001 certified; that is planned as the company grows. In July 2026 we completed a 20-track internal security audit and remediated its critical findings.
Reporting a security issue
Email admin@hireanex.com. We acknowledge within 2 business days and will keep you informed through remediation. Please don't test against production candidate data.