Enterprise-Grade Security at $1/Month
Your candidate data deserves the same protection as Fortune 500 companies get. We believe security isn't a premium feature - it's a fundamental right.
We Take Security Seriously (Even at $1/Month)
Just because we charge $1/month doesn't mean we cut corners on security. Every line of candidate data you store with us is protected with the same enterprise-grade security that companies pay $500/month for.
We keep costs low through automation and efficiency, not by skimping on security. Your trust is worth more than our profit margin.
Data Encryption
Military-grade encryption protects your data at rest and in transit
Encryption at Rest
All candidate data, CVs, and personal information are encrypted using AES-256 encryption standard - the same encryption used by governments and banks worldwide.
- Database encryption with AES-256-GCM
- File storage encryption (CVs, documents)
- Automatic encryption key rotation
- Separate encryption keys per company (multi-tenant isolation)
Encryption in Transit
Every connection to Ryan Recruit is secured with TLS 1.3 encryption - the latest and most secure transport layer security protocol.
- TLS 1.3 with perfect forward secrecy
- HTTPS-only (no HTTP fallback)
- A+ SSL rating (verified by SSL Labs)
- HSTS enabled (HTTP Strict Transport Security)
What This Means for You
Even if someone physically stole our hard drives, they couldn't read your data without the encryption keys (which are stored separately and rotated regularly). Your candidate data is mathematically protected.
Authentication & Access Control
Multi-layered security ensures only authorized users access your data
JWT Token Authentication
Industry-standard JSON Web Tokens with 15-minute expiry and secure refresh mechanism. Tokens are signed and verified on every request.
Secure Password Hashing
Passwords are hashed using bcrypt with 12 rounds of salting. We never store plaintext passwords. Even we can't see your password.
MFA (Coming Soon)
Multi-factor authentication with TOTP (Google Authenticator, Authy) launching Q2 2024. Optional but recommended.
Role-Based Access Control (RBAC)
Fine-grained permissions ensure team members only see what they need to see:
Admin
Full system access, user management, billing
Hiring Manager
Manage jobs, view candidates, schedule interviews
Recruiter
View assigned candidates, update pipeline
Interviewer
View candidates for scheduled interviews only
Read-Only
View-only access to reports and analytics
Custom Roles
Define your own permission sets
Compliance & Privacy
We comply with international data protection regulations
GDPR Compliant
Full compliance with the General Data Protection Regulation (GDPR), ensuring candidate data rights are protected.
- Right to Access: Candidates can request their data
- Right to Erasure: Delete candidate data on request
- Right to Portability: Export data in machine-readable format
- Data Processing Agreements: Available for enterprise customers
- Consent Management: Track and manage candidate consent
Data Residency & Retention
Your data stays where you need it to stay, and we only keep it as long as you want.
- EU Data Centers: Data stored in EU-based servers (GDPR requirement)
- US Data Centers: Option for US-based companies
- Retention Policies: Automatic data deletion after 90 days of account closure
- Backup Encryption: All backups encrypted with separate keys
- Secure Deletion: Data is cryptographically wiped (not just marked deleted)
Working Toward SOC 2 Type II
We're currently undergoing SOC 2 Type II certification - the gold standard for SaaS security and compliance. Expected completion: Q3 2024. We already meet the technical requirements; we're just completing the audit process.
Security Certifications & Standards
Third-party verified security and infrastructure
SSL/TLS Certificate
A+ Rating from SSL Labs. Extended Validation (EV) certificate with 256-bit encryption.
SOC 2 Infrastructure
Hosted on Railway.app infrastructure, which maintains SOC 2 Type II certification.
Regular Security Audits
Quarterly penetration testing and annual security audits by third-party security firms.
Automated Vulnerability Scanning
Continuous dependency scanning with Snyk and Dependabot. Critical patches deployed within 24 hours.
Mandatory Code Review
100% code review requirement. No code reaches production without security review.
Incident Response Plan
Documented incident response procedures. Customers notified within 72 hours of any breach.
Responsible Vulnerability Disclosure
Found a security issue? We want to hear from you.
Our Commitment to Security Researchers
We believe security researchers make the internet safer for everyone. If you discover a vulnerability in Ryan Recruit, we want to work with you to fix it responsibly.
How to Report a Vulnerability
Email us at:
security@ryan-recruit.comInclude in your report:
- Detailed description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Any proof-of-concept code (optional)
We will respond within:
- 24 hours: Initial acknowledgment
- 72 hours: Preliminary assessment
- 7 days: Patch timeline and severity rating
We will:
- Work with you to understand and validate the issue
- Keep you updated on our remediation progress
- Credit you in our security acknowledgments (if desired)
- Consider your report for our bug bounty program (launching 2024)
Responsible Disclosure Guidelines
Please do not:
- Publicly disclose the vulnerability before we've patched it
- Access or modify user data beyond what's necessary to demonstrate the issue
- Perform actions that could degrade our service (DoS attacks)
- Use automated scanners that generate excessive traffic
Safe harbor: We will not pursue legal action against security researchers who follow these guidelines.
Security Hall of Fame
We publicly thank security researchers who help us improve (with their permission). Check our Security Hall of Fame.
Security Best Practices for Users
Security is a shared responsibility - here's how you can protect your account
Use Strong, Unique Passwords
Minimum 12 characters with uppercase, lowercase, numbers, and symbols. Use a password manager like 1Password or Bitwarden.
Enable MFA (When Available)
Multi-factor authentication adds an extra layer of security. We're launching MFA support in Q2 2024 - enable it immediately.
Review Team Access Regularly
Audit who has access to your account monthly. Remove former employees and contractors immediately.
Watch for Phishing Attempts
We will NEVER ask for your password via email. Always verify URLs before logging in. Report suspicious emails to security@ryan-recruit.com.
Keep Your Browser Updated
Use the latest version of Chrome, Firefox, Safari, or Edge. Enable automatic updates for security patches.
Use Secure Networks
Avoid public Wi-Fi when accessing sensitive data. Use a VPN if you must work from coffee shops or airports.
Log Out on Shared Devices
Always log out if using a shared or public computer. Enable auto-logout after 15 minutes of inactivity.
Monitor Account Activity
Check your account activity log regularly. Report any suspicious login attempts immediately.
Regular Data Backups
Export your data monthly using our backup feature. Store backups securely offline for disaster recovery.
Security Resources & Documentation
Security Whitepaper
Detailed technical documentation of our security architecture, encryption methods, and compliance standards.
Coming Soon - Q2 2024
Privacy Policy
Learn how we collect, use, and protect your personal data and candidate information.
Read Privacy Policy âTerms of Service
Our legal terms, service guarantees, and your rights as a Ryan Recruit customer.
Read Terms of Service âData Processing Agreement (DPA)
GDPR-compliant DPA for enterprise customers. Available upon request for accounts with 10+ users.
Request DPA âSecurity Questions?
We're transparent about our security practices. If you have questions about how we protect your data, we're happy to answer.
General Security Inquiries:
security@ryan-recruit.comVulnerability Reports:
security@ryan-recruit.comEnterprise Security Questions:
ryan@ryanrecruit.comAverage response time: 24 hours for general inquiries, same-day for vulnerability reports.