Security at
LevelHire
Candidate data is sensitive. We treat it that way. Here’s a transparent look at how we protect the data flowing through LevelHire.
TLS 1.2+ encryption
All data in transit
AES-256 at rest
All stored data
SOC 2 infrastructure
Certified cloud provider
How we protect you
Security practices
Encryption in transit
All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints and redirect HTTP requests automatically.
Encryption at rest
All stored data — including candidate evaluations, behavioral signals, and account information — is encrypted at rest using AES-256.
Cloud infrastructure
LevelHire runs on SOC 2 Type II certified cloud infrastructure. We use isolated environments per tenant and apply the principle of least privilege across all system access.
Authentication & access control
Passwords are hashed using bcrypt with a high work factor. We support two-factor authentication (2FA). Employee access to production systems is role-based, logged, and reviewed quarterly.
Application security
We follow OWASP Top 10 guidelines. Our platform is tested for SQL injection, XSS, CSRF, and other common vulnerabilities. Dependency scanning runs on every deployment.
Penetration testing
We conduct external penetration tests at least annually and after major architectural changes. Results are reviewed by our engineering team and remediated within defined SLAs.
Audit logging
All authentication events, administrative actions, and data access are logged with immutable audit trails. Logs are retained for 12 months and monitored for anomalies.
Incident response
We maintain a documented incident response plan. In the event of a security incident affecting your data, we will notify you within 72 hours of detection, as required by applicable law.
Network security
Production systems are isolated behind private networks with strict firewall rules. We use DDoS mitigation and rate limiting at the edge. No production database is publicly accessible.
Employee security
All team members complete security training upon onboarding and annually thereafter. We use hardware security keys for privileged access and maintain a clean desk / clean screen policy.
Data handling
What we collect and why
Who can access candidate evaluation data?↓
Only the hiring company that created the evaluation has access to candidate results. LevelHire engineering staff can only access data for authorized debugging purposes, under our access control policy.
How long is evaluation data retained?↓
Candidate evaluation data is retained for 24 months after completion, or until the business customer requests deletion. After that, it is permanently deleted from all systems including backups within 90 days.
Are behavioral signals shared with third parties?↓
No. Behavioral signal data (keystroke timing, pause patterns) is used solely to generate evaluation verdicts for the hiring company. It is never shared with or sold to third parties.
Do you use AI/ML training data from evaluations?↓
We may use de-identified, aggregated evaluation data to improve our AI models. Personally identifiable information is stripped before any model training. You can opt out in your account settings.
What happens to data when I close my account?↓
You have 30 days after account closure to export your data. After that, your data is permanently deleted in accordance with our Privacy Policy retention schedule.
Responsible Disclosure
If you discover a security vulnerability in LevelHire, we encourage responsible disclosure. Please report it to us privately so we can address it before public disclosure. We commit to:
- ✓ Acknowledge your report within 48 hours
- ✓ Provide a timeline for remediation within 7 business days
- ✓ Not pursue legal action against good-faith security researchers
- ✓ Credit you in our changelog (with your permission)
security@levelhire.ai · PGP key available on request
LevelHire’s security practices are designed to comply with applicable data protection laws including Mexico’s LFPDPPP, the US CCPA, and other relevant regulations. For questions about our security or compliance posture, contact us at hello@levelhire.ai.