Security & Data Protection

1. Our Commitment to Security

At SafeReq, security and data protection are fundamental to everything we build. Our customers entrust us with job requisition documents and employment-related content for compliance analysis. We take this responsibility seriously and invest in robust security measures to safeguard your data at every stage of processing.

This document describes our security practices, technical safeguards, organizational controls, and data protection measures. SafeReq is an informational tool that identifies potential areas of concern in job requisitions; it does not provide legal advice. Similarly, this security overview is provided for informational purposes and is subject to change as we continue to strengthen our security posture.

2. Data Encryption

2.1 Encryption at Rest

All data stored in our systems is encrypted at rest using industry-standard encryption:

• AES-256 encryption for all data stored in PostgreSQL databases, including job requisition content, analysis results, and account information
• Encrypted database volumes managed through AWS Elastic Block Store (EBS) encryption
• Encrypted backups stored in AWS S3 with server-side encryption (SSE-S3 or SSE-KMS)
• Encryption keys managed through AWS Key Management Service (KMS) with automatic key rotation

2.2 Encryption in Transit

All data transmitted between your browser and our servers is protected:

• TLS 1.2 or higher (Transport Layer Security) enforced for all connections
• HTTPS required for all web traffic with automatic HTTP-to-HTTPS redirection
• Strong cipher suites with forward secrecy to protect against retrospective decryption
• HSTS (HTTP Strict Transport Security) headers configured to prevent protocol downgrade attacks
• Internal service-to-service communication (e.g., between the .NET API and the JobReqIQ engine) is encrypted in transit within the cloud VPC

3. Access Controls and Authentication

3.1 User Authentication

SafeReq employs multiple layers of authentication security for customer accounts:

• Passwords are hashed using bcrypt with appropriate work factors; plaintext passwords are never stored
• JWT-based session management with short-lived access tokens held in memory (not localStorage) and refresh tokens stored in HttpOnly, Secure cookies
• Automatic session timeout after a period of inactivity
• Account lockout with progressive delays after repeated failed login attempts
• Email verification required for all new accounts
• Multi-factor authentication (MFA) planned for future release

3.2 Role-Based Access Control (RBAC)

SafeReq implements a strict role-based access control model:

• Principle of least privilege: Every user is granted only the minimum access necessary for their role
• Organization-scoped data: Every database query filters on the organization identifier, ensuring strict tenant isolation
• Defined roles: Customer users, organization managers, compliance reviewers, and platform administrators each have distinct permission sets
• Granular permissions: Sensitive operations (e.g., managing team members, viewing billing history, accessing audit logs) require elevated role assignments

3.3 Internal Access Controls

• SafeReq personnel access to production systems is restricted to authorized individuals who require it for their job functions
• All employee access to customer data is logged in the audit system
• Production database access requires authenticated, encrypted connections with individual credentials
• Access reviews are conducted regularly to ensure continued appropriateness of access levels

4. Infrastructure Security

4.1 AWS Cloud Infrastructure

SafeReq is hosted on Amazon Web Services (AWS), which provides SOC 2, ISO 27001, and PCI DSS certified data centers. Our infrastructure takes advantage of AWS security capabilities including:

• Virtual Private Cloud (VPC) with private subnets for databases and internal services
• Security groups and network ACLs enforcing strict inbound and outbound traffic rules
• DDoS protection through AWS Shield
• Content delivery and edge protection through AWS CloudFront
• Automated infrastructure provisioning through infrastructure-as-code, reducing manual configuration errors

4.2 Application Security

• Parameterized queries: All database queries use parameterized inputs to prevent SQL injection; user input is never concatenated into SQL statements
• Input validation: All API endpoints validate and sanitize input data using FluentValidation
• Output encoding: Responses are encoded to prevent cross-site scripting (XSS) attacks
• CORS policies: Strict cross-origin resource sharing policies limit which domains can interact with our API
• Rate limiting: API rate limiting protects against abuse and brute-force attacks
• Dependency scanning: Automated monitoring of third-party dependencies for known vulnerabilities

4.3 Network Architecture

The SafeReq architecture separates public-facing services from internal processing:

• The JobReqIQ analysis engine is not internet-facing; it is accessible only through the internal network from the .NET API
• The review panel is IP-allowlisted for additional access restriction
• Database servers are deployed in private subnets with no direct internet access
• All inter-service communication occurs within the cloud VPC

5. Audit Logging

SafeReq maintains comprehensive audit logs for security-relevant actions across the platform:

• Authentication events: Login attempts (successful and failed), password changes, session creation and expiration
• Data access: Access to job requisition data, analysis results, and reports
• Administrative actions: User management, role changes, organization settings modifications
• Billing events: Credit purchases, subscription changes, payment transactions
• Analysis operations: Document uploads, analysis requests, review assignments

Audit logs are stored in a dedicated schema with append-only write access. Logs include timestamps (UTC), actor identification, action type, affected resource, and source IP address. Audit records are retained in accordance with our data retention policy and applicable legal requirements.

6. Vulnerability Management

• Penetration Testing: We conduct periodic third-party penetration tests to identify and address vulnerabilities before they can be exploited
• Vulnerability Scanning: Automated scanning of infrastructure and application dependencies runs on a regular cadence to detect known vulnerabilities
• Patch Management: Security patches for operating systems, frameworks, and libraries are evaluated and applied promptly, with critical patches prioritized for expedited deployment
• Dependency Monitoring: We monitor our open-source dependencies (.NET NuGet packages, Python pip packages, npm packages) for newly disclosed vulnerabilities
• Responsible Disclosure: We welcome reports from security researchers. If you discover a vulnerability, please report it to security@safereq.com. We request 90 days to address reported issues before public disclosure

7. Incident Response

SafeReq maintains a documented incident response plan to address security events promptly and effectively:

7.1 Detection and Triage

• Security monitoring and alerting to detect anomalous activity
• Defined severity levels and escalation paths for different types of incidents
• Designated incident response team with clear roles and responsibilities

7.2 Containment and Remediation

• Established protocols for containment, eradication, and recovery
• Forensic investigation capabilities to determine root cause and scope
• Post-incident reviews to identify improvements and prevent recurrence

7.3 Breach Notification

In the event of a data breach affecting customer data:

• Affected customers will be notified within 72 hours of discovery, as required by our Data Processing Agreement
• Notifications will include the nature of the breach, categories of data affected, and remedial actions taken or planned
• We will comply with all applicable breach notification requirements under CCPA/CPRA and other applicable laws
• We will cooperate with law enforcement and regulatory authorities as required
• A post-incident report will be made available to affected customers

8. Organizational Security

8.1 Personnel Security

• All personnel with access to customer data are bound by written confidentiality obligations
• Security awareness training is provided to all team members
• Access to production systems is reviewed and adjusted when personnel roles change

8.2 Vendor and Sub-processor Security

• All third-party vendors that process customer data are evaluated for security capabilities before engagement
• Vendors are contractually required to maintain data protection standards consistent with this policy
• Sub-processors are listed in our Data Processing Agreement and changes are communicated to customers in advance

8.3 Physical Security

SafeReq's infrastructure is hosted in AWS data centers, which maintain comprehensive physical security controls including 24/7 security monitoring, biometric access controls, video surveillance, and environmental safeguards (fire suppression, climate control, redundant power). SafeReq personnel do not have physical access to AWS data center facilities.

9. Data Protection Practices

9.1 Data Minimization

We collect and retain only the data necessary to provide our services. We do not collect or store payment card details (these are handled exclusively by Stripe). Anonymous analysis sessions retain only severity-level results for a limited period. Account data is purged in accordance with our retention policy when no longer needed.

9.2 Tenant Isolation

Customer data is logically isolated at the application level. Every database query that accesses customer data is filtered on the organization identifier, ensuring that one customer can never access another customer's data. This isolation is enforced in the repository layer and is a core security requirement of the platform.

9.3 Backup and Recovery

• Automated daily database backups with AES-256 encryption
• Backups are stored in a separate AWS region for geographic redundancy
• Backup restoration procedures are tested periodically to verify recoverability
• Business continuity and disaster recovery plans are documented and maintained

9.4 Secure Data Deletion

When data is deleted (upon account closure, data subject request, or retention period expiration), it is removed from active databases and from backups in accordance with our retention schedule. Deletion is verified and, upon request, we can provide written certification of deletion.

10. Compliance and Certifications

10.1 Current Compliance

• CCPA/CPRA: Our data handling practices are designed to meet the requirements of California privacy laws
• Data Processing Agreements: Available for all business customers upon request
• Privacy impact assessments: Conducted for new features and processing activities that may affect personal information

10.2 Planned Certifications

• SOC 2 Type II: We are working toward SOC 2 Type II certification and expect to begin the formal audit process in the near future. Our current security controls are designed to align with the SOC 2 Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy).

11. Security Best Practices for Customers

We recommend that customers take the following steps to help protect their accounts:

• Use strong, unique passwords for your SafeReq account
• Do not share account credentials with unauthorized individuals
• Regularly review account activity and access logs in your dashboard
• Limit user access within your organization based on role requirements
• Promptly remove access for personnel who no longer require it
• Report any suspicious activity to security@safereq.com immediately

12. Security Reporting and Contact

If you discover a security vulnerability, experience a security concern, or have questions about our security practices, please contact us: