Legal
Security
Effective May 2026
HireForge runs a strict security baseline appropriate for the executive-tier customers it serves. This page is the public summary of our posture. For SOC 2 Type 2 letters, security questionnaires, penetration test summaries, or a DPA, contact us.
Network and edge
- TLS 1.2+ everywhere. No insecure protocols served. HSTS with 2-year max-age, preload-eligible.
- DNSSEC on the hireforge.co zone via Cloudflare.
- Strict CSP, X-Frame-Options DENY, locked-down Permissions-Policy on every response.
- Vercel BotID for behavioral bot detection on auth and payment routes.
- Vercel edge DDoS protection — multi-Tbps capacity.
Identity and access
- MFA required on every account. Supported factors: TOTP (Google Authenticator, 1Password, Authy), WebAuthn (hardware keys, passkeys), backup codes.
- SAML SSO available for enterprise tier (via Clerk).
- Strong password policy with breached-password check (haveibeenpwned).
- Session rotation on privilege escalation.
- Per-tenant isolation — every customer org is isolated at the data layer; no shared state across orgs.
Encryption
- In transit: TLS 1.2+ enforced.
- At rest: AES-256 at the database layer; AES-256 at the object-storage layer.
- Field-level: customer API keys (Shopify, Stripe, Slack, etc.) and brand-master files encrypted with a per-tenant data encryption key.
- Secrets: Vercel encrypted env vars; never logged, never returned to API responses.
Audit and observability
- Customer-visible audit log per organization. Every admin action and every agent action recorded — who did what, when, from where.
- Provenance tracking — every agent output linked to its inputs, model version, and quality-judge results.
- Immutable log retention for 1 year (longer on enterprise tier).
AI-specific safety
- Brand-leak validator runs on every output before it reaches you — catches cross-brand contamination, banned phrases, FTC-risky language.
- Groundedness and instruction-follow LLM judges available on demand for any output.
- Eval harness runs every Sunday at 5 AM against your golden test set. Quality regressions trigger alerts before they reach customers.
- Anthropic zero-retention API — no Claude prompts are retained or used for training.
Vendor stack
Every vendor in the HireForge stack is SOC 2 Type 2 compliant:
- Vercel — application hosting, edge compute, BotID
- Clerk — authentication, MFA, audit logs
- Cloudflare — DNS, DNSSEC, network edge
- Anthropic — Claude reasoning (zero-retention API)
- Stripe — billing
- GitHub — source control with branch protection and signed commits
Backups and continuity
- Daily encrypted backups with 30-day retention (longer on enterprise tier).
- Off-site backup to a separate cloud provider.
- Disaster recovery — RPO 24 hours, RTO 4 hours for self-serve; tighter targets on enterprise tier.
Compliance posture
- SOC 2 Type 2 — in progress. Vendor stack already SOC 2 Type 2 end-to-end.
- GDPR / CCPA — Data Processing Agreement available for customers in regulated jurisdictions.
- HIPAA — not currently certified. White-glove engagements involving PHI are evaluated case-by-case.
Responsible disclosure
If you’ve found a security vulnerability, we want to hear about it. Email hello@hireforge.co with subject line “Security Disclosure”. Include:
- The vulnerability description with reproduction steps
- The potential impact
- Your contact information
- Whether you’d like public credit
We commit to: acknowledging within 1 business day, providing a substantive response within 5 business days, and not pursuing legal action against good-faith research that follows this policy.
Scope
In scope: hireforge.co, app.hireforge.co, the HireForge API.
Out of scope: denial-of-service attacks, social-engineering of HireForge employees, physical attacks, and issues in third-party services (report those to the vendor).
Status
Real-time platform status will be available at status.hireforge.co once the dashboard launches. For incidents in progress, monitor that page or email hello@hireforge.co.
This is a public-facing summary of how HireForge handles legal, privacy, and security matters. For procurement-tier documentation (SOC 2 letter, DPA, security questionnaire), contact us.