LevelHire

Security

Security is a core part of how LevelHire is built. This page describes our security practices, infrastructure, and how to report a vulnerability.

TLS in transit
All traffic encrypted with TLS 1.2+
Encrypted at rest
AES-256 database encryption
Row-level security
PostgreSQL RLS on all tables
No passwords stored
Auth via Supabase secure tokens
No camera uploads
Camera processed locally only

Infrastructure Security

LevelHire is hosted on Vercel (application layer) and Supabase (database layer), both of which maintain comprehensive security certifications and practices:

  • Transport security: All connections to LevelHire use TLS 1.2 or higher. HTTP requests are automatically redirected to HTTPS.
  • Database encryption: Data at rest is encrypted using AES-256. Supabase uses AWS RDS with encryption enabled at the storage level.
  • Row-level security (RLS): PostgreSQL row-level security policies ensure that each company can only access its own data. Even in the event of an application-layer bug, data isolation is enforced at the database level.
  • Network isolation: Database connections are restricted to application services. Direct public database access is disabled.
  • DDoS protection: Provided by Vercel's edge network and infrastructure layer.

Authentication and Access Control

  • Authentication: User authentication is handled by Supabase Auth, which uses industry-standard JWT tokens. Passwords are hashed with bcrypt and never stored in plaintext.
  • Session management: Sessions expire after a configurable period of inactivity. Refresh tokens are rotated on each use.
  • Role-based access control: Company accounts use role-based access (Admin, Hiring Manager, Recruiter) that restricts what each user can see and do within the platform.
  • Candidate tokens: Candidates access their assessments via unique, time-limited cryptographic tokens. These tokens are single-use and expire after 7 days.
  • API keys: API keys for integrations are stored as hashed values. The plaintext key is shown only once at creation.

Data Handling and Privacy

  • Camera data: When a candidate enables the optional camera preview, video is processed entirely within the candidate's browser using the Web MediaDevices API. No camera frames are uploaded, transmitted, or stored on LevelHire servers.
  • Candidate responses: Assessment responses are transmitted to our AI provider (Anthropic) via an encrypted API connection for evaluation. Anthropic does not retain this data for model training without explicit consent.
  • Data segregation: Each company's data is strictly segregated at the database level using RLS policies. Cross-company data access is architecturally prevented.
  • Logging: Application logs are retained for 30 days and contain no sensitive personal data (passwords, full responses, or assessment content).

Secure Development Practices

  • Input validation: All user-supplied input is validated and sanitized on the server side before processing or storage.
  • SQL injection prevention: The platform uses parameterized queries exclusively through the Supabase client. Raw SQL user input is never executed.
  • XSS prevention: React's built-in escaping prevents cross-site scripting. Content Security Policy headers are enforced.
  • Dependency management: Dependencies are regularly audited and updated. Critical security patches are applied promptly.
  • Environment secrets: API keys and secrets are stored as environment variables and never committed to version control.

Third-Party Providers

LevelHire relies on the following vetted third-party providers, each of which maintains their own security program:

SupabaseDatabase & authentication
SOC 2 Type II
VercelApplication hosting & CDN
SOC 2 Type II
StripePayment processing
PCI DSS Level 1
AnthropicAI challenge generation & evaluation
Enterprise Data Processing Agreement

Incident Response

In the event of a security incident affecting customer or candidate data:

  • We will investigate and contain the incident within 24 hours of detection.
  • Affected users will be notified within 72 hours of confirmed impact, in compliance with applicable law.
  • For incidents affecting Mexican residents, we will notify the INAI (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales) as required by the LFPDPPP.
  • A post-incident report will be provided to affected Customers upon request.

Vulnerability Disclosure

We take security reports seriously. If you discover a potential security vulnerability in LevelHire, please report it responsibly:

Responsible Disclosure

Email your report to security@levelhire.ai with:

  • A clear description of the vulnerability.
  • Steps to reproduce or proof-of-concept (if available).
  • The potential impact.
  • Your contact information (optional).

We will acknowledge your report within 2 business days and keep you updated on our progress. We ask that you do not publicly disclose the vulnerability until we have addressed it. We do not currently operate a formal bug bounty program, but we genuinely appreciate responsible disclosure.

Out of scope: Social engineering attacks, denial of service attacks, physical attacks, or issues in third-party services outside our control.

Compliance

LevelHire's security practices are designed to support compliance with:

  • California Consumer Privacy Act (CCPA/CPRA)
  • Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) — Mexico
  • General Data Protection Regulation (GDPR) — where applicable to EU users
  • U.S. federal data security standards

For compliance documentation or security questionnaires, contact security@levelhire.ai.

← Back to LevelHire
Privacy PolicyTerms of ServiceCookie PolicyDPA