Security Policy
Our commitment to security and responsible vulnerability disclosure
Last updated: November 30, 2024 | Version 1.0
Security is fundamental to CandidateHub. This policy explains our security practices and provides guidelines for reporting security vulnerabilities responsibly.
Our Security Commitment
Core Principles
- •Defense in Depth: Multiple layers of security controls
- •Least Privilege: Users and systems have minimal necessary permissions
- •Regular Assessment: Continuous security testing and evaluation
- •Continuous Monitoring: Real-time detection of security issues
- •Employee Training: Regular security awareness for our team
Infrastructure Security
- •Data Encryption: AES-256 encryption for data at rest
- •Transport Security: TLS 1.2+ for all data in transit
- •Cloud Security: Secure infrastructure via Vercel, Supabase, and Render
- •Regular Patching: Timely security updates for all systems
- •Access Logging: Comprehensive logging and monitoring of data access
Application Security
- •Secure Development: SDLC with security reviews
- •Input Validation: Protection against injection attacks
- •Output Encoding: Prevention of XSS vulnerabilities
- •Authentication: Secure password handling and session management
- •Dependency Management: Regular updates and security scanning
Vulnerability Disclosure Program
Scope: In Scope
- ✓*.aicandidatehub.com domains
- ✓CandidateHub web application
- ✓CandidateHub API
- ✓Authentication and authorization systems
- ✓Data protection and privacy controls
Scope: Out of Scope
- ✗Third-party services (Supabase, Vercel, Render, Google, Polar)
- ✗Physical security testing
- ✗Social engineering attacks
- ✗Denial of service attacks
- ✗Spam, phishing, or malware testing
- ✗Testing without prior authorization
How to Report a Vulnerability
Email us:
Please include:
- •Detailed description of the vulnerability
- •Step-by-step reproduction instructions
- •Potential impact assessment
- •Your contact information
- •Your preferred communication method
What to Expect
- •Acknowledgment: Within 3 business days
- •Initial Assessment: Within 10 business days
- •Regular Updates: Progress updates every 10 days
- •Resolution Notification: When issue is fixed
Safe Harbor Provisions
We Commit To:
- ✓Not pursue legal action for good-faith security research
- ✓Work with you to understand and resolve issues
- ✓Recognize your contribution (with your permission)
- ✓Not disclose your information without consent
- ✓Provide timely communication about progress
You Agree To:
- •Act in good faith with security research goals only
- •Avoid privacy violations and data theft
- •Avoid data destruction or modification
- •Not access other users' data
- •Not disrupt or degrade service availability
- •Give us reasonable time to fix (minimum 90 days)
- •Not publicly disclose before we've had time to fix
Recognition
Researchers who responsibly disclose vulnerabilities may be recognized in our security researchers hall of fame (with permission). We currently offer Hall of Fame recognition rather than monetary rewards.
Incident Response
Detection
- •Automated monitoring and alerting systems
- •Log analysis and anomaly detection
- •User-reported security issues
- •Third-party notifications (service providers)
Response Process
- Triage and assessment of the incident
- Containment measures to prevent further impact
- Investigation to determine scope and cause
- Remediation and patching of vulnerabilities
- Notification to affected parties (if required)
- Post-incident review and prevention measures
Data Breach Notification
In the event of a data breach affecting user data:
- •GDPR (EU): Notification to supervisory authority within 72 hours
- •PDPA (Singapore): Notification to Personal Data Protection Commission within 3 calendar days
- •Users: Notification as soon as practicable with clear guidance
- •Status Page: Real-time updates on resolution progress
Data Protection
Data Handling Principles
- •Minimization: Collect only necessary data
- •Purpose Limitation: Use data only for stated purposes
- •Secure Storage: Encrypt sensitive data at rest
- •Secure Transmission: Use TLS for all data in transit
- •Access Controls: Regular review of data access permissions
Third-Party Security
- •Security assessment of all sub-processors
- •Contractual security requirements (DPA)
- •Regular compliance verification
- •Audit of security certifications (SOC 2, ISO 27001)
Contact Information
Updates to This Policy
We may update this policy as our security practices evolve. Material changes will be announced. Continued use of our service constitutes acceptance of policy changes.
© 2026 New Indigo Solutions. All rights reserved. This Security Policy reflects our commitment to protecting user data and responsible security practices.