Security
Your interview data, protected at every layer
Hiring involves sensitive personal information. CandidReel is built with security as a foundation — not an afterthought. Here's how we protect your data.
Encryption everywhere
All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Interview recordings, transcripts, and personal data are never stored unencrypted.
SOC 2 compliant infrastructure
CandidReel is hosted on Supabase and Vercel — both SOC 2 Type II compliant providers with enterprise-grade security controls, automated backups, and global CDN distribution.
Enterprise video infrastructure
Interview recordings are processed and delivered through Mux, the same video infrastructure trusted by major media companies. Videos are stored with redundancy across multiple data centres.
Row-level security and access controls
Every database query is enforced with row-level security policies. Team members only see data belonging to their organisation. Role-based permissions ensure the right people have the right level of access.
Responsible AI processing
Interview data sent to AI providers for transcription and scoring is processed in real-time and not retained by those providers. Your data is never used to train third-party AI models.
Compliance and privacy
CandidReel is built to comply with the Australian Privacy Act 1988 and is GDPR-ready for organisations operating in the EU. Data processing agreements are in place with all third-party providers.
Security in depth
Authentication and session management
User sessions are managed with secure, httpOnly cookies with SameSite and Secure attributes. Authentication supports email and password, social login (Google), and magic links. All passwords are hashed using bcrypt with appropriate cost factors.
Network security
All traffic is served over HTTPS with HSTS enabled. We enforce strict Content Security Policy headers, X-Frame-Options, and X-Content-Type-Options headers to prevent common web vulnerabilities. Rate limiting is applied to authentication endpoints and API routes to prevent abuse.
Data isolation
Each organisation's data is logically isolated using row-level security policies at the database level. This means even if an application-level bug were introduced, the database itself prevents cross-tenant data access.
Penetration testing and audits
We conduct regular security reviews of our codebase and infrastructure. Dependency vulnerabilities are monitored continuously and patched promptly. We welcome responsible disclosure from the security community.
Incident response
In the event of a security incident, we will notify affected users within 72 hours as required by GDPR and Australian privacy regulations. We maintain an incident response plan and regularly review our processes.
Report a vulnerability
If you discover a security vulnerability in CandidReel, we appreciate your help in disclosing it responsibly. Please email us at security@candidreel.com with a detailed description of the issue, including steps to reproduce it if possible.
We will acknowledge receipt within 24 hours and aim to provide an initial assessment within 5 business days. We ask that you give us reasonable time to investigate and address the issue before making any public disclosure.
Learn more
For details on how we handle personal data, see our Privacy Policy. For questions about our security practices or to request a security questionnaire, contact security@candidreel.com.
Trusted by teams who care about security
Start screening candidates with enterprise-grade security from day one. Free plan included.
Free plan included · No credit card · Setup in 2 minutes