LevelHire

Security

Security is a core part of how LevelHire is built. This page describes our security practices, infrastructure, and how to report a vulnerability.

🔒
TLS in transit
All traffic encrypted with TLS 1.2+
🗄️
Encrypted at rest
AES-256 database encryption
🛡️
Row-level security
PostgreSQL RLS on all tables
🔑
No passwords stored
Auth via Supabase secure tokens
📵
No camera uploads
Camera processed locally only

Infrastructure Security

LevelHire is hosted on Vercel (application layer) and Supabase (database layer), both of which maintain comprehensive security certifications and practices:

  • Transport security: All connections to LevelHire use TLS 1.2 or higher. HTTP requests are automatically redirected to HTTPS.
  • Database encryption: Data at rest is encrypted using AES-256. Supabase uses AWS RDS with encryption enabled at the storage level.
  • Row-level security (RLS): PostgreSQL row-level security policies ensure that each company can only access its own data. Even in the event of an application-layer bug, data isolation is enforced at the database level.
  • Network isolation: Database connections are restricted to application services. Direct public database access is disabled.
  • DDoS protection: Provided by Vercel's edge network and infrastructure layer.

Authentication and Access Control

  • Authentication: User authentication is handled by Supabase Auth, which uses industry-standard JWT tokens. Passwords are hashed with bcrypt and never stored in plaintext.
  • Session management: Sessions expire after a configurable period of inactivity. Refresh tokens are rotated on each use.
  • Role-based access control: Company accounts use role-based access (Admin, Hiring Manager, Recruiter) that restricts what each user can see and do within the platform.
  • Candidate tokens: Candidates access their assessments via unique, time-limited cryptographic tokens. These tokens are single-use and expire after 7 days.
  • API keys: API keys for integrations are stored as hashed values. The plaintext key is shown only once at creation.

Data Handling and Privacy

  • Camera data: When a candidate enables the optional camera preview, video is processed entirely within the candidate's browser using the Web MediaDevices API. No camera frames are uploaded, transmitted, or stored on LevelHire servers.
  • Candidate responses: Assessment responses are transmitted to our AI provider (Anthropic) via an encrypted API connection for evaluation. Anthropic does not retain this data for model training without explicit consent.
  • Data segregation: Each company's data is strictly segregated at the database level using RLS policies. Cross-company data access is architecturally prevented.
  • Logging: Application logs are retained for 30 days and contain no sensitive personal data (passwords, full responses, or assessment content).

Secure Development Practices

  • Input validation: All user-supplied input is validated and sanitized on the server side before processing or storage.
  • SQL injection prevention: The platform uses parameterized queries exclusively through the Supabase client. Raw SQL user input is never executed.
  • XSS prevention: React's built-in escaping prevents cross-site scripting. Content Security Policy headers are enforced.
  • Dependency management: Dependencies are regularly audited and updated. Critical security patches are applied promptly.
  • Environment secrets: API keys and secrets are stored as environment variables and never committed to version control.

Third-Party Providers

LevelHire relies on the following vetted third-party providers, each of which maintains their own security program:

SupabaseDatabase & authentication
SOC 2 Type II
VercelApplication hosting & CDN
SOC 2 Type II
StripePayment processing
PCI DSS Level 1
AnthropicAI challenge generation & evaluation
Enterprise Data Processing Agreement

Incident Response

In the event of a security incident affecting customer or candidate data:

  • We will investigate and contain the incident within 24 hours of detection.
  • Affected users will be notified within 72 hours of confirmed impact, in compliance with applicable law.
  • For incidents affecting Mexican residents, we will notify the INAI (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales) as required by the LFPDPPP.
  • A post-incident report will be provided to affected Customers upon request.

Vulnerability Disclosure

We take security reports seriously. If you discover a potential security vulnerability in LevelHire, please report it responsibly:

Responsible Disclosure

Email your report to security@levelhire.ai with:

  • A clear description of the vulnerability.
  • Steps to reproduce or proof-of-concept (if available).
  • The potential impact.
  • Your contact information (optional).

We will acknowledge your report within 2 business days and keep you updated on our progress. We ask that you do not publicly disclose the vulnerability until we have addressed it. We do not currently operate a formal bug bounty program, but we genuinely appreciate responsible disclosure.

Out of scope: Social engineering attacks, denial of service attacks, physical attacks, or issues in third-party services outside our control.

Compliance

LevelHire's security practices are designed to support compliance with:

  • California Consumer Privacy Act (CCPA/CPRA)
  • Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) — Mexico
  • General Data Protection Regulation (GDPR) — where applicable to EU users
  • U.S. federal data security standards

For compliance documentation or security questionnaires, contact security@levelhire.ai.

← Back to LevelHire
Privacy PolicyTerms of ServiceCookie PolicyDPA