CreamyHire
Sign inStart free
Trust Center

Security

What we do to keep recruiter PII, candidate resumes, and AI scoring outputs safe.

Last updated: May 2026

Encryption

All CreamyHire traffic is served over TLS 1.2+, with HSTS preload and modern cipher suites only. Plaintext HTTP redirects to HTTPS at the edge. At rest, our managed Postgres uses AES-256 disk encryption. Resume blobs and PDF reports inherit the same encryption layer.

Sensitive third-party credentials — Greenhouse Harvest keys, OpenAI keys, SMTP passwords, webhook secrets — are additionally encrypted before being written to the database using a per-deployment Fernet (AES-128 + HMAC) key. A leaked database dump alone cannot be used to call any third-party API on your behalf.

Access control

CreamyHire ships with two roles — recruiter and admin. Every API endpoint enforces both authentication (JWT or API key) and authorisation (the user must own the resource or be an org admin). Long-lived API keys are SHA-256 hashed at rest and tracked with a last_used_at timestamp so dormant keys can be audited and revoked.

Production access for our team is restricted to a small on-call rotation, gated behind hardware MFA, and audited via cloud-provider access logs.

Tenant isolation

CreamyHire is multi-tenant at the row level. Every query that returns candidate, job, or note data is scoped by user_id and org_id. We do not expose a "search across orgs" surface anywhere in the product. Cross-tenant access from compromised application code would require simultaneous defeat of the auth layer and the row-scoping in every router — a layered defence.

Audit & logging

Every state-changing action — stage transitions, candidate uploads, admin role changes, integration connect/disconnect, score push to ATS — writes a row to an immutable audit_logs table with actor, action, target, and a JSON detail blob. Admins can view this feed in real time at /admin.

Application logs are JSON-structured (timestamp, request id, level, user id, message) and shipped to our log aggregator. Errors are captured by Sentry with PII scrubbing applied via a before_send hook — resume text, password hashes, and Authorization headers are stripped before any event leaves our infrastructure.

Infrastructure

CreamyHire runs on managed cloud infrastructure with the following posture:

  • Web tier behind a globally distributed edge CDN (DDoS protection, TLS termination, automatic certificate rotation).
  • Application tier on horizontally scaled containers with rolling deploys and per-tenant rate limits.
  • Background scoring + ATS sync run in dedicated Celery workers with at-most-once semantics (acks_late=True) so a worker crash never silently drops a candidate.
  • Postgres with point-in-time recovery (default 7 days, 30 days for paid tenants on request) and daily logical dumps to a separate region.
  • Redis (Celery broker) is private-networked and password-auth'd; no public ingress.

AI processing

Resumes and job descriptions are sent to OpenAI for parsing, scoring, red-flag detection, and deep analysis. We use the OpenAI REST API with the data-sharing opt-out enabled at the organisation level: your data is not used to train OpenAI models. The text content travels for processing only; CreamyHire never uploads the original PDF/DOCX file to a third party.

AI outputs (scores, summaries, interview kits) are stored in our database, scoped to your account, and surface in your dashboard — not in any shared model.

Incident response

We monitor liveness and readiness probes from multiple regions and page the on-call engineer on consecutive failures. Customer- impacting incidents are posted to status.creamyhire.com within 10 minutes of detection, with public post-mortems for any incident that breaches our SLA.

For data-breach notification we follow GDPR Art. 33/34 (notify the affected supervisory authority within 72 hours and the affected data subjects without undue delay) and the equivalent DPDP provisions.

Vulnerability disclosure

Found a security issue? Email security@creamyhire.com with a clear reproduction. We acknowledge within one business day, triage within three, and credit responsible disclosures in our public hall of fame (with your permission).

Out of scope: rate-limit testing against production, social engineering of our staff, physical attacks, denial-of-service attempts. In scope: any technical vulnerability — SSRF, IDOR, XSS, auth bypass, RCE, key-leak through Sentry / logs / exports.

Compliance roadmap

We are GDPR- and DPDP-aligned today: access, rectification (Settings), erasure (Settings → Privacy → Delete account, 30-day grace), portability (ZIP export of your full account), and a Data Processing Addendum available on request.

SOC 2 Type II is on our 2026 roadmap; ISO 27001 to follow. Customers can reach security@creamyhire.com for our security questionnaire response (CAIQ-Lite format).