Legal

Security

Effective May 2026

HireForge runs a strict security baseline appropriate for the executive-tier customers it serves. This page is the public summary of our posture. For SOC 2 Type 2 letters, security questionnaires, penetration test summaries, or a DPA, contact us.

Network and edge

  • TLS 1.2+ everywhere. No insecure protocols served. HSTS with 2-year max-age, preload-eligible.
  • DNSSEC on the hireforge.co zone via Cloudflare.
  • Strict CSP, X-Frame-Options DENY, locked-down Permissions-Policy on every response.
  • Vercel BotID for behavioral bot detection on auth and payment routes.
  • Vercel edge DDoS protection — multi-Tbps capacity.

Identity and access

  • MFA required on every account. Supported factors: TOTP (Google Authenticator, 1Password, Authy), WebAuthn (hardware keys, passkeys), backup codes.
  • SAML SSO available for enterprise tier (via Clerk).
  • Strong password policy with breached-password check (haveibeenpwned).
  • Session rotation on privilege escalation.
  • Per-tenant isolation — every customer org is isolated at the data layer; no shared state across orgs.

Encryption

  • In transit: TLS 1.2+ enforced.
  • At rest: AES-256 at the database layer; AES-256 at the object-storage layer.
  • Field-level: customer API keys (Shopify, Stripe, Slack, etc.) and brand-master files encrypted with a per-tenant data encryption key.
  • Secrets: Vercel encrypted env vars; never logged, never returned to API responses.

Audit and observability

  • Customer-visible audit log per organization. Every admin action and every agent action recorded — who did what, when, from where.
  • Provenance tracking — every agent output linked to its inputs, model version, and quality-judge results.
  • Immutable log retention for 1 year (longer on enterprise tier).

AI-specific safety

  • Brand-leak validator runs on every output before it reaches you — catches cross-brand contamination, banned phrases, FTC-risky language.
  • Groundedness and instruction-follow LLM judges available on demand for any output.
  • Eval harness runs every Sunday at 5 AM against your golden test set. Quality regressions trigger alerts before they reach customers.
  • Anthropic zero-retention API — no Claude prompts are retained or used for training.

Vendor stack

Every vendor in the HireForge stack is SOC 2 Type 2 compliant:

  • Vercel — application hosting, edge compute, BotID
  • Clerk — authentication, MFA, audit logs
  • Cloudflare — DNS, DNSSEC, network edge
  • Anthropic — Claude reasoning (zero-retention API)
  • Stripe — billing
  • GitHub — source control with branch protection and signed commits

Backups and continuity

  • Daily encrypted backups with 30-day retention (longer on enterprise tier).
  • Off-site backup to a separate cloud provider.
  • Disaster recovery — RPO 24 hours, RTO 4 hours for self-serve; tighter targets on enterprise tier.

Compliance posture

  • SOC 2 Type 2 — in progress. Vendor stack already SOC 2 Type 2 end-to-end.
  • GDPR / CCPA — Data Processing Agreement available for customers in regulated jurisdictions.
  • HIPAA — not currently certified. White-glove engagements involving PHI are evaluated case-by-case.

Responsible disclosure

If you’ve found a security vulnerability, we want to hear about it. Email hello@hireforge.co with subject line “Security Disclosure”. Include:

  • The vulnerability description with reproduction steps
  • The potential impact
  • Your contact information
  • Whether you’d like public credit

We commit to: acknowledging within 1 business day, providing a substantive response within 5 business days, and not pursuing legal action against good-faith research that follows this policy.

Scope

In scope: hireforge.co, app.hireforge.co, the HireForge API.

Out of scope: denial-of-service attacks, social-engineering of HireForge employees, physical attacks, and issues in third-party services (report those to the vendor).

Status

Real-time platform status will be available at status.hireforge.co once the dashboard launches. For incidents in progress, monitor that page or email hello@hireforge.co.

This is a public-facing summary of how HireForge handles legal, privacy, and security matters. For procurement-tier documentation (SOC 2 letter, DPA, security questionnaire), contact us.