Security

Security is not a feature. It's a foundation.

Your candidate data is sensitive. We treat it that way. Here's exactly how we keep it safe.

Encryption everywhere

  • AES-256 encryption for all data at rest
  • TLS 1.3 for all data in transit
  • Database fields encrypted at the column level
  • Encryption keys managed via hardware security modules (HSM)

Infrastructure security

  • Hosted on ISO 27001-certified infrastructure
  • Network-level firewall rules — minimal ingress by default
  • Container image scanning on every build
  • Automated vulnerability patching cycle (<48h for critical)

Access controls

  • Role-based access control (RBAC) at every layer
  • Multi-factor authentication enforced for admin accounts
  • Principle of least privilege for all internal systems
  • All admin actions logged and auditable

Compliance & auditing

  • GDPR compliant — DPA available on request
  • Annual third-party penetration testing
  • SOC 2 Type II audit in progress
  • Dedicated Data Protection Officer (DPO)

Common security questions

Where is my data stored?

All customer data is stored on servers located in the EU (Germany) or Asia-Pacific (Singapore) depending on your account region selection at signup. We do not transfer data outside your selected region without explicit consent.

Can your staff read my candidate data?

No SRP employee can access your candidate data without your explicit consent for a support request. All access requests are gated behind a formal approval process and are logged.

What happens if there's a security incident?

In the event of a confirmed data breach, we will notify affected customers within 72 hours as required by GDPR. We will provide a full post-mortem report and steps taken to remediate.

Is SRP AI compliant in the EU?

Yes. Our AI systems operate under human oversight — all candidate scores are recommendations, and hiring decisions remain with humans. We monitor our models for bias and produce AI transparency documentation available on request.

Found a vulnerability?

We have a responsible disclosure programme. Report security findings to:

security@srpailabs.com

We acknowledge reports within 24 hours and aim to resolve critical issues within 72 hours.