Security FAQ

Q1: After plan cancellation, how long do you retain our information, how do you securely delete it, and do you provide proof of secure deletion?

Answer:

We retain customer data for 6 months following account cancellation to allow for account reactivation if needed. After this retention period, we perform complete deletion of all account information including:

• All customer data from production databases
• Backup systems and archives
• Log files containing personally identifiable information

Our deletion process includes:

• Irreversible removal from all systems
• Purging from backup retention cycles
• Verification of complete data removal

Upon request, we can provide a certificate of data destruction confirming secure deletion has been completed.

Q2: Before deletion, what is the process that will allow us to retrieve our information before the account is closed?

Answer:

Customers can export their data at any time before or during the 6-month retention period:

Self-Service Export:

• Customers can export all candidate-related data directly from the Candidates page

Additional Data Request:

For data not covered by self-service export tools, customers can request a full data archive from our support team. This service is provided on an hourly rate basis as additional service work. Pricing and timeline are available upon request from support.

We recommend using the self-service export functionality regularly to maintain your own backup copies of data.

Q3: What is your supplier security process to ensure the third-parties you use comply with security and confidentiality requirements?

Answer:

We maintain a minimal third-party footprint and only use reputable, certified vendors for essential services:

Vendors with Access to Customer Data:

• Cloud Infrastructure:
• Hetzner Online GmbH (primary for EU customers, data centers in Germany; Hetzner publishes ISO 27001 certification for its data centers)
• Amazon Web Services (primary for US, Canadian, and rest-of-world customers; SOC 2 Type II and ISO 27001 certified)
• Email Delivery: Postmark - Hosted on SOC2 Type II certified infrastructure (AWS)
• SMS/Text Messaging: Twilio - SOC2 Type II certified
• Payment Processing: Paddle - PCI-DSS SAQ A compliant
• Video Conferencing: Zoom - SOC2 Type II certified (for interview scheduling integration)
• HR & Payroll Integration: Gusto - SOC2 Type II certified (for candidate onboarding)
• AI / LLM Providers (for AI Score, AI Copilot, and AI Email Composer features):
• OpenAI - SOC 2 Type II certified. Customer data is not used to train OpenAI models per their API data usage policy
• Anthropic - SOC 2 Type II certified. Customer data is not used to train Anthropic models per their commercial terms
• Google (Gemini API) - SOC 2 Type II and ISO 27001 certified. Customer data is not used to train Google models per their paid API terms

Service Providers Without Customer Data Access:

• Job Posting Platforms: We distribute public job descriptions to Indeed, Glassdoor, LinkedIn, ZipRecruiter, Google Jobs, Monster, Talent.com, Jooble, Adzuna, Jora, Trovit, Jobisjob, and Careerjet. These platforms receive only public job posting information, not candidate or customer data.

Vendor Security Requirements:

• All vendors with access to customer data maintain SOC2 Type II, ISO 27001, or equivalent certification
• Vendors without appropriate security certifications do not receive access to customer data
• All vendors handling customer data must sign Data Processing Agreements (DPAs)
• We conduct security reviews before vendor approval
• Annual review of critical vendor security posture

Data Protection:

Customer and candidate data is only transmitted to certified vendors with appropriate security controls. Job boards receive only public job posting information without any personally identifiable information.

Q4: What security measures do you have in place to protect customer data (encryption, access control, etc.)?

Answer:

We implement comprehensive security measures across multiple layers:

Encryption:

• Data in Transit: TLS 1.2+ encryption for all network communications
• Data at Rest: AES-256 encryption for database storage
• SSL/TLS Certificates: Valid SSL certificates for all web services
• Secure Connections: All API and application connections encrypted

Access Control:

• SSH key-based authentication (password authentication disabled)
• Multi-factor authentication for security-sensitive systems
• Network firewall with strict port controls
• Role-based access control with principle of least privilege

Monitoring & Security:

• Intrusion prevention and detection systems (fail2ban)
• Real-time monitoring and alerting (Grafana)
• Comprehensive security event logging with 90-day retention
• Regular security assessments and vulnerability management
• Network segmentation between environments

Q5: Do you specify that disclosure and misuse of customer data is prohibited?

Answer:

Yes, we have multiple mechanisms in place to prohibit disclosure and misuse of customer data:

Legal & Contractual:

• Employee Agreements: All employees sign confidentiality and non-disclosure agreements upon hiring that explicitly prohibit unauthorized disclosure or misuse of customer data. These obligations survive termination of employment.
• Vendor Contracts: All third-party vendors sign agreements with strict confidentiality clauses and data protection requirements
• Data Processing Agreements: Available to customers upon request

Policy Framework:

• Privacy Policy: Publicly available policy explicitly prohibits unauthorized use or disclosure of customer information
• Terms of Service: Clear data protection commitments and prohibited uses
• Internal Security Policies: Documented data handling procedures and acceptable use policies

Enforcement:

• Training: Regular security awareness training for all employees
• Monitoring: Access logging and review to detect unauthorized access
• Consequences: Disciplinary measures up to and including termination for policy violations
• Breach Notification: Procedures for incident response and customer notification

All personnel with access to customer data are contractually bound to maintain confidentiality and face consequences for violations.

Q6: What is your process around notifying customers of information misuse, security breaches, and changes to your service offerings?

Answer:

We maintain transparent communication processes for all security-related events and service changes:

Security Incident & Breach Notification:

• Detection & Investigation: Immediate investigation upon detection of potential security incidents
• Timeline: Customer notification within 72 hours of confirmed data breach via email to registered contact
• Notification Contents:
• Nature and scope of the incident
• Data potentially affected
• Timeline of the incident
• Immediate actions taken
• Mitigation steps implemented
• Recommendations for customer action
• Follow-up: Detailed incident report provided within 7 days

Service & Feature Changes:

• Major Changes: 30-day advance notice via email for significant service modifications
• Emergency Changes: Immediate notification with explanation when security requires urgent action

Terms of Service Changes:

• Advance Notice: Minimum 30 days notice via email before changes take effect
• Change Summary: Clear explanation of what's changing and why
• Version History: Previous versions archived and accessible

Communication Channels:

• Primary: Email to registered account contact
• Support Portal: Detailed changelog and update history

All critical security notifications are sent to ensure customers are promptly informed of any issues affecting their data.

Q7: What access control measures have you put in place to prevent unauthorized access to customer information?

Answer:

We implement comprehensive access control measures across technical and administrative layers:

Technical Controls:

• SSH Key Authentication:
• SSH key-based authentication exclusively - password authentication completely disabled
• Private key infrastructure for all server access
• Keys rotated regularly and upon personnel changes

• Firewall & Network Security:
• Network firewall with strict allow-list rules
• All ports secured except public web ports (80/443)
• "Deny all by default" policy on network devices
• Network segmentation between production and non-production environments

• Multi-Factor Authentication (MFA):
• Required for all administrative functions
• Implemented across security-sensitive systems
• Required for all vendor and third-party access

• Application Security:
• Role-based access control (RBAC) within applications
• Session Management:
• • Regular user sessions: Extended persistence to optimize user experience
  • Administrative/privileged sessions: 30-minute timeout after inactivity for enhanced security
  • All sessions encrypted and monitored for suspicious activity
• Account lockout after failed login attempts
• Encrypted password storage using industry-standard hashing

Administrative Controls:

• Principle of Least Privilege: Users granted minimum access necessary for job functions
• Access Reviews: Quarterly review of user access rights
• Provisioning/De-provisioning:
• Formal approval process for access requests
• Immediate access revocation upon termination
• Regular audit of active accounts

• Monitoring & Logging:
• Comprehensive logging of all access attempts (successful and failed)
• Real-time monitoring with Grafana
• Intrusion prevention with fail2ban
• Security event alerting for suspicious activities
• Log retention minimum 90 days with restricted access to modify logs

• Physical Security:
• Physical access controls and monitoring

All access is logged, monitored, and regularly reviewed to prevent and detect unauthorized access attempts.

Q8: Do you have a documented incident response plan, disaster recovery plan, and business continuity plan?

Answer:

Yes, we maintain documented procedures for operational continuity:

Incident Response:

• Security incident detection and response procedures
• Customer notification process (72-hour breach notification)
• Escalation and communication protocols

Disaster Recovery:

• Automated backup procedures with regular testing
• System restoration processes
• Database and application recovery procedures

Business Continuity:

• Service continuity procedures during disruptions
• Critical system dependencies documented
• Vendor failover contingencies

These procedures are reviewed and updated regularly to ensure effective response to incidents and service continuity.

Q9: Do you permit customers to perform periodic reviews, due diligence and audit reviews as needed?

Answer:

Yes, we support security assurance activities for Enterprise customers:

For Enterprise Customers:

• Security Questionnaires: We respond to enterprise customer security assessments and due diligence questionnaires
• Documentation Review: Security policies and procedures available for review under mutual NDA
• Evidence Sharing: We provide evidence of security controls upon request (screenshots, configurations, sample logs)
• Virtual Security Reviews: Security review calls with our technical team available
• Audit Support: We cooperate with customer security audits and provide necessary documentation

Process:

1. Enterprise customer submits security review request to account manager
2. We provide requested documentation under appropriate confidentiality agreements
3. Follow-up calls scheduled as needed to address questions
4. Ongoing availability for periodic reviews (annual or as needed)

SOC 2 Status:

100Hires is currently in the process of obtaining SOC 2 Type II attestation. In the interim, this FAQ documents the controls that map to SOC 2's Trust Services Criteria (Security, Availability, Confidentiality) and can be used to complete your own internal security assessments and vendor questionnaires.

For Standard Customers:

Customers on standard plans can use this documentation as the basis for internal security reviews. Customers requiring formal attestation or additional evidence are welcome to contact us about the Enterprise security review options listed above.

We understand the importance of security transparency and work collaboratively with our Enterprise customers to address their security assurance requirements.

Q10: Do you have cybersecurity or any other insurance coverage that ensures the protection of customer information?

Answer:

We are currently evaluating cyber insurance options as part of our risk management strategy. In the meantime, we maintain robust security measures and reserved funds to address potential security incidents. Our multi-layered technical controls (encryption, firewalls, intrusion prevention) and documented incident response procedures ensure customer data protection and rapid response to any security events.

Q11: What is your process for providing information regarding service and term changes to customers?

Answer:

We maintain transparent communication for all service and terms changes:

Terms of Service Changes:

• Advance Notice: Minimum 30 days advance notice via email before any changes take effect
• Change Summary: Clear, plain-language explanation of what's changing and why
• Version Control: Previous versions of terms archived and accessible for reference
• Acceptance: Continued use constitutes acceptance, with option to cancel if unacceptable

Major Service Changes:

• 30-Day Notice: Advance notification via email for significant feature changes or service modifications
• Impact Assessment: Clear communication of how changes affect customer usage
• Migration Support: Assistance provided for any required customer actions

Minor Service Updates:

• In-App Notifications: Updates displayed within the application
• Changelog: Detailed changelog maintained and accessible
• Release Notes: Documentation of new features and improvements

API and Integration Changes:

• 90-Day Deprecation Notice: Extended notice period for API changes affecting integrations
• Developer Documentation: Updated technical documentation
• Migration Guides: Step-by-step guidance for required changes

Emergency Changes:

• Immediate Notification: Prompt communication when security or critical issues require urgent action
• Explanation: Clear reasoning for emergency changes
• Follow-up: Detailed information provided as soon as available

Communication Channels:

• Primary: Email to registered account administrator
• Secondary: In-application notifications
• Status updates: Service status page for operational changes

All customers receive timely, clear communication about changes that may affect their use of our services, with adequate time to review and respond to significant changes.

Q12: What background screening process do you have for employees and contractors?

Answer:

Yes, we perform comprehensive background screening for all new hires and contractors before granting access to systems and data. Our screening process includes:

• Criminal background checks
• Civil litigation and media research checks
• Resume and curriculum vitae verification
• Right-to-work verification checks

All personnel with access to customer data must successfully complete background screening before being granted system access.

Q13: What are your vulnerability remediation timelines for security issues?

Answer:

We maintain strict remediation timelines based on vulnerability severity:

• Critical Issues: Immediate remediation within 24 hours
• High Severity: Fixed within 7 days
• Medium Severity: Remediated within 30 days
• Low Severity: Addressed within 90 days

Vulnerability Scanning Coverage:

• Infrastructure security scanning
• Application-level vulnerability assessments
• Network security reviews
• Periodic manual security assessments and penetration testing

Tools Used: Periodic manual security checking, fail2ban for real-time threat detection, Grafana for continuous monitoring.

Q14: Describe your logging and monitoring capabilities

Answer:

We maintain comprehensive logging and monitoring infrastructure:

Event Logging:

• Administrator and security event logs for all systems
• Log retention: Minimum 90 days
• Access to modify logs is strictly restricted
• Logs capture critical security events including access attempts, account changes, and privileged activities

Monitoring Tools:

• Grafana for centralized monitoring and real-time alerting
• fail2ban for security event detection and automated response
• Logs available to customers upon request

Q15: How is multi-factor authentication implemented in your environment?

Answer:

Multi-factor authentication (MFA) is enabled for all security-sensitive parts of our system:

Coverage Areas:

• Administrative access to all systems
• Critical application functions
• Third-party vendor access points
• Remote access to infrastructure
• Access to customer data repositories

MFA is mandatory for all privileged accounts and enforced across security-sensitive operations to prevent unauthorized access.

Q16: What security practices do you follow in software development?

Answer:

We implement security throughout the software development lifecycle:

Automated Security Testing:

• Source code security scanning tools integrated into development workflow
• Automated vulnerability detection during code commits
• Dependency vulnerability scanning

Pre-Production Security:

• All identified security issues must be remediated before production release
• Security review required for all code changes
• No deployment to production with known security vulnerabilities

Testing and Quality Assurance:

• Security testing integrated into CI/CD pipeline
• Code review process includes security considerations
• Penetration testing performed on application updates

Q17: Who owns the data customers upload to 100Hires, and is customer data used to train AI models?

Answer:

Customer Data Ownership:

Customers retain full ownership of all data they upload to or generate within 100Hires, including candidate profiles, resumes, notes, evaluations, messages, and any other content. 100Hires processes this data solely to provide the service to the customer and for the limited purposes set out in our Terms of Service and Data Processing Addendum. We do not sell, license, or otherwise transfer customer data to third parties for marketing, analytics, or model-training purposes.

No Training on Customer Data:

100Hires does not use customer data to train its own AI or machine-learning models.

When customer data is sent to AI sub-processors (OpenAI, Anthropic, Google) to power features such as AI Score, AI Copilot, and AI Email Composer, we use API endpoints and commercial agreements under which those providers contractually commit not to train their foundation models on customer prompts or completions. Each of these providers offers a no-training commitment for paid API usage, and 100Hires operates exclusively under those paid-tier commercial terms.

Customers who prefer not to send any data to third-party AI providers can disable AI features entirely at the account level.

EU Privacy Compliance (GDPR)

Q18: How does 100Hires support customer compliance with GDPR?

Answer:

100Hires acts as a data processor under Article 28 of the General Data Protection Regulation (GDPR) when processing candidate personal data on behalf of customers (data controllers).

Roles:

• You (the customer) act as the data controller, determining the purposes and means of processing.
• 100Hires acts as the data processor, handling candidate data on your behalf under the terms of our Data Processing Addendum (DPA).

Product capabilities that support your compliance:

• Configurable data retention (1 to 60 months) with automatic deletion after expiry
• Lawful-basis and consent tracking per candidate, with full audit trail
• Right-of-access, right-to-rectification, right-to-erasure, and data portability support via candidate data export and "Remove candidate profile"
• Privacy policy URL displayed on consent request pages
• Role-based access control within hiring teams
• AI features can be disabled at the account level for roles or jurisdictions that restrict automated tools

Data residency:

EU customer data is hosted in Hetzner data centers located in Germany. Certain sub-processors listed in Q3 (email delivery, SMS, video, HR integration, and AI/LLM providers) may process limited data outside the EU.

International transfers:

For sub-processor transfers outside the EU, 100Hires relies on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework. Each sub-processor with access to customer data has executed a Data Processing Agreement with 100Hires.

Breach notification:

100Hires will notify customers of a personal data breach without undue delay and within 72 hours of confirmation, in line with Article 33 of GDPR.

DPA:

A GDPR-compliant DPA, including SCCs for international transfers, is available on request from privacy@100hires.com.

Canadian Privacy Compliance

The following section describes how 100Hires supports customer compliance with Canadian privacy laws: the Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec's Law 25, Alberta PIPA, British Columbia PIPA, and the Canadian Anti-Spam Legislation (CASL).

Q19: How does 100Hires support customer compliance with PIPEDA, Quebec Law 25, Alberta PIPA, and BC PIPA?

Answer:

100Hires provides the security, privacy, and product controls customers need to meet their own obligations under PIPEDA, Quebec Law 25, Alberta PIPA, and BC PIPA. The controls described in this FAQ - including encryption, access management, retention configuration, breach notification commitments, and vendor oversight - are designed to support these obligations.

Shared responsibility:

• You (the customer) determine the purposes for which personal information is collected and how it is used. Under PIPEDA you are the organization responsible for the personal information; under Quebec Law 25 you are the "person carrying on an enterprise".
• 100Hires handles candidate data on your behalf as your service provider, under the terms of our Data Processing Addendum (DPA) and Terms of Service.

Product capabilities that support your compliance:

• Configurable data retention (1 to 60 months) with automatic deletion after expiry
• Consent capture, renewal, and audit trail per candidate
• Right-to-erasure handling via "Remove candidate profile"
• Candidate data export (CSV) to support access and portability requests
• Privacy policy URL displayed on consent request pages
• Role-based access control within hiring teams
• AI features can be disabled at the account level for jurisdictions or roles that restrict the use of automated tools

A DPA addressing PIPEDA and Quebec Law 25 terms is available on request from privacy@100hires.com. For access, correction, or deletion requests submitted by your candidates, we will assist you in fulfilling the request as required by our DPA.

Q20: Where is customer data physically stored?

Answer:

Customer data is hosted on regional infrastructure based on the customer's primary location:

• EU customers: Hetzner Online GmbH data centers located in Germany. Hetzner publishes ISO 27001 certification for its data centers.
• US, Canadian, and rest-of-world customers: Amazon Web Services infrastructure located in the United States. AWS is SOC 2 Type II and ISO 27001 certified.

All data in both locations is encrypted in transit (TLS 1.2+) and at rest (AES-256).

For Canadian customers, candidate data is therefore hosted in the United States. For EU customers, candidate data is hosted within the European Union; note that certain sub-processors used for transactional email, SMS, video, and HR integrations (listed in Q3) may process limited data outside the EU under appropriate safeguards.

Q21: For Quebec customers, how does 100Hires support Law 25 cross-border transfer obligations?

Answer:

Quebec Law 25 (article 17) requires the customer, as the person carrying on an enterprise, to conduct a privacy impact assessment (PIA) before communicating personal information outside Quebec. The PIA weighs the sensitivity of the information, the purposes of the transfer, the protective measures in place, and the legal framework of the destination jurisdiction.

Canadian customer data, including data of candidates resident in Quebec, is hosted on AWS infrastructure in the United States. To support our customers' PIAs, 100Hires provides:

• AWS's industry-recognized security certifications (SOC 2 Type II, ISO 27001)
• Contractual data protection terms in our DPA
• The technical and organizational controls described elsewhere in this FAQ, including AES-256 encryption at rest, TLS 1.2+ in transit, MFA on all privileged access, 90-day audit logging, and 72-hour breach notification
• 100Hires's service-provider commitments under PIPEDA and Quebec Law 25

A short Privacy Impact Assessment input document, suitable for inclusion in a Quebec customer's own Law 25 PIA, is available on request from privacy@100hires.com.

Q22: Who is your Privacy Officer?

Answer:

Consistent with PIPEDA section 4.1.1 and Quebec Law 25 article 3.1:

• Privacy Officer: Alex Kravets, Founder & CEO
• Email: privacy@100hires.com

The Privacy Officer is responsible for overseeing 100Hires's privacy obligations, supporting customers with access and correction requests, and handling complaints under Canadian privacy laws.

Q23: How does 100Hires support CASL compliance for candidate outreach?

Answer:

When you use 100Hires to send commercial electronic messages to candidates in Canada (such as nurture campaigns, sourcing emails, or marketing communications), you remain the sender under the Canadian Anti-Spam Legislation (CASL). 100Hires provides the controls required to operate a CASL-compliant program:

• Unsubscribe links: Automatically included in nurture campaign and bulk email templates.
• Sender identification: Company name and contact information fields in email templates.
• Suppression: Once a candidate unsubscribes, further commercial messages from your account are suppressed.
• Consent records: Candidate consent status is tracked per profile.

You are responsible for obtaining express or implied consent before sending CASL-regulated messages, for honoring unsubscribe requests within the 10-business-day window CASL requires, and for ensuring message content meets CASL's identification and unsubscribe requirements. Direct correspondence in response to a candidate's application is generally outside CASL's commercial-message scope.

Q24: How does 100Hires handle automated decision-making under Quebec Law 25 article 12.1?

Answer:

Quebec Law 25 article 12.1 requires that, when a decision based exclusively on automated processing of personal information is used, the individual must be informed and given the opportunity to submit observations to a person able to review the decision.

100Hires offers AI-assisted features (AI Score, AI Copilot, AI Email Composer) that support recruiter decision-making. These features are designed as follows to support customer compliance with Law 25 article 12.1:

• Designed for human review: AI features in 100Hires produce recommendations, scores, and drafts intended to be reviewed by a human recruiter before a hiring decision is taken. The platform's AI features do not auto-reject or auto-hire candidates.
• Customer control: AI features can be disabled at the account level, allowing customers operating in Quebec or other jurisdictions with strict automated-decision rules to opt out entirely.
• Transparency for candidates: Customers who wish to disclose the use of AI assistance in their hiring process can include this information in their privacy notice or in candidate-facing communications. We provide template language on request.

Note that knockout-question logic, if configured by the customer, can automatically disqualify candidates based on screening answers. Customers using knockout questions for Quebec applicants should review whether their configuration constitutes an exclusively automated decision under article 12.1 and provide the disclosures and review rights the law requires.

For guidance on implementing candidate-facing disclosure of AI usage, contact privacy@100hires.com.

Summary of Key Points

Data Protection:

• 6-month retention post-cancellation
• Complete data deletion with proof available
• Self-service candidate data export available from Candidates page
• Additional data services available on hourly rate basis
• Customers retain full ownership of all uploaded data; no use of customer data to train AI models

Security Measures:

• TLS 1.2+/AES-256 encryption
• SSH keys + MFA for all security-sensitive systems
• Firewall + intrusion prevention (fail2ban)
• Grafana monitoring + 90-day log retention
• All ports secured except 80/443
• DKIM, SPF, DMARC configured

Access Control:

• Multi-factor authentication on critical systems
• "Deny all" by default firewall policy
• Comprehensive event logging
• Background checks for all personnel

Vulnerability Management:

• Periodic security assessments
• Defined remediation timelines (Critical: 24hrs, High: 7 days)
• Infrastructure, application, and network scanning
• Pre-production security remediation

Third-Party Management:

• 9 vendors with customer data access (all SOC2/PCI-DSS certified), including AI sub-processors OpenAI, Anthropic, and Google
• AI sub-processors contractually prohibited from training foundation models on customer data
• Job boards receive only public job postings (no customer data)
• DPAs required for all vendors with data access
• Annual vendor security reviews

Incident Response:

• 72-hour breach notification
• Security incident procedures documented
• Email + support portal communication
• 30-day advance notice for service changes

Customer Assurance:

• Security questionnaires answered (Enterprise customers)
• Documentation available under NDA (Enterprise customers)
• Audit support and security reviews (Enterprise customers)
• SOC 2 Type II attestation in progress; this FAQ maps to SOC 2 Trust Services Criteria in the interim

Insurance:

• Evaluating cyber insurance options
• Strong technical/operational controls in place
• Reserved incident response funds

EU Privacy Compliance (GDPR):

• 100Hires acts as a data processor under Article 28 of GDPR
• EU customer data hosted in Hetzner data centers in Germany
• International sub-processor transfers governed by Standard Contractual Clauses (SCCs) and EU-US Data Privacy Framework where applicable
• 72-hour breach notification per Article 33
• GDPR-compliant DPA available on request

Canadian Privacy Compliance:

• Controls support customer compliance with PIPEDA, Quebec Law 25, Alberta PIPA, and BC PIPA
• US/Canadian customer data hosted in AWS US
• Privacy Officer: Alex Kravets, privacy@100hires.com
• CASL controls: unsubscribe, sender identification, and suppression in email templates
• AI features designed for human-in-the-loop review and can be disabled at the account level

Updated on: 15/05/2026