Security & Data Protection

Every claim on this page is backed by our actual codebase — not marketing aspirations. Here's exactly how we protect your data.

INFRASTRUCTURE

Hosting & encryption in transit

Your data runs on trusted cloud infrastructure with encryption at every layer.

Global edge network

Our application is served via a global edge network with serverless compute. Automatic TLS certificates, CDN distribution, and isolated function execution.

Encrypted database

All database data is encrypted at rest using industry-standard encryption. Infrastructure is hosted on trusted cloud providers.

HTTPS/TLS enforced with HSTS

All connections are encrypted with TLS. We enforce HTTP Strict Transport Security with a 1-year max-age and includeSubDomains in production.

ACCESS CONTROL

Authentication & authorisation

Three layers of access control ensure the right people see the right data.

Session-based authentication

Session-based auth with OAuth support. Sessions are validated at the middleware layer before any page or API route executes.

Role-based access control

Organisations have owner and manager roles with granular permissions — who can manage jobs, view analytics, change settings, and invite members.

Row-Level Security on all tables

Every database table enforces RLS policies. Users can only access their own data; organisation members see only their organisation’s data.

Explicit invite acceptance

Pending invitations require explicit user acceptance before granting any organisation access. No auto-linking of accounts to prevent privilege escalation.

ENCRYPTION

Data encryption & protection

Encryption in transit, at rest, and for sensitive credentials.

TLS in transit

All data transmitted between clients, our servers, and third-party services is encrypted using TLS.

Encrypted at rest

All database data is encrypted at rest using industry-standard encryption on trusted cloud infrastructure.

AES-256-GCM for ATS credentials

Integration credentials for connected ATS platforms are encrypted with AES-256-GCM using a 32-byte key and a random 96-bit IV per operation.

APPLICATION SECURITY

Hardened at every layer

Security headers, input validation, and permission restrictions baked into the middleware.

Security headers

X-Frame-Options: DENY (clickjacking protection), X-Content-Type-Options: nosniff (MIME sniffing prevention), strict Referrer-Policy, and Permissions-Policy restrictions.

SSRF protection

All user-provided URLs are validated against a blocklist of private IP ranges (127.x, 10.x, 192.168.x, 172.16–31.x), localhost, and cloud metadata endpoints. HTTPS only.

Open redirect prevention

Post-authentication redirects are restricted to a whitelist of allowed internal paths. No user-controlled redirects to external domains.

Permissions-Policy restrictions

Camera and microphone access is permitted only on assessment routes where they’re needed. All other pages explicitly deny these permissions.

PRIVACY

Privacy & consent

Consent-first design with full audit trails for every decision.

Minimal cookie usage

We use only essential authentication cookies and standard analytics cookies for aggregate usage insights. No advertising or personalisation cookies are set.

Consent records with audit trail

Every consent action is recorded in a dedicated table with the user ID, consent type, IP address, and timestamp for full traceability.

Data audit logging

Sensitive operations are tracked in a data audit log recording the actor, action, target, and IP address. Both audit and consent tables have Row-Level Security enabled.

PROCTORING

Proctoring privacy

Assessment integrity without invasive surveillance.

No video recordings stored — only event-level behavioural flags (look-away count, tab switches, face detection results)
Camera processing happens entirely client-side in the candidate’s browser
Proctoring event data is retained for 30 days, then deleted

Frequently asked questions

Where is data hosted?

Our database and application are hosted on trusted cloud infrastructure with data encrypted at rest. The application is served via a global edge network.

Is data encrypted?

Yes. All connections use TLS encryption in transit. Data is encrypted at rest on our cloud infrastructure. ATS integration credentials are encrypted with AES-256-GCM.

Does Kaairo store video recordings?

No. Camera proctoring runs entirely in the candidate’s browser. We store only event-level behavioural flags (e.g., look-away count, tab switches), never video or images.

Is candidate data used to train AI?

No. Candidate data is processed for scoring only. It is not used to train or improve any AI models.

Can data be deleted on request?

Yes. Contact the organisation that invited you, or reach out to us directly at hello@kaairo.ai.

What compliance standards does Kaairo follow?

Kaairo is compliant with India’s Digital Personal Data Protection (DPDP) Act 2023. SOC 2 Type II certification is on our roadmap.

Need more details?

Have questions about our security practices or need documentation for your compliance review? We're happy to help.