Recluto
Back home

Security at Recluto

We host candidate CVs, recorded interviews, and recruiter decisions. Earning that trust is a permanent project, not a marketing page. Here's exactly how we approach it.

Encryption

TLS 1.2+ for all traffic in transit. AES-256 at rest for all customer data, with provider-managed keys rotated automatically.

Access controls

Role-based access at the workspace level (owner, admin, recruiter, hiring manager, viewer). Optional 2FA on every recruiter account.

Data isolation

Multi-tenant SaaS with mandatory tenant scoping at every query layer. No customer can see another customer's data — enforced by global query scopes.

Infrastructure

Hosted on AWS (us-east, ap-south, eu-west). Managed Postgres with point-in-time recovery and daily encrypted off-site backups.

Least-privilege engineering

Production database access is gated behind audited break-glass workflows. No engineer carries credentials for routine tickets.

Audit logging

Every state-changing action — application advance, candidate reject, settings change — is journaled to an immutable activity log per workspace.

Regional residency

EU and India data-residency on request for paying customers. Single-region deployment available on the Pro tier.

Vendor diligence

All sub-processors (LLM provider, voice provider, calendar provider, email sender) are listed publicly and reviewed annually.

Compliance roadmap

Recluto is in active SOC 2 Type II preparation with an external auditor. Our target completion window is Q1 2027. Customers on the Growth tier and above can request our current security questionnaire (covering NIST CSF, ISO 27001 control alignment, and sub-processor list) under NDA.

For GDPR-bound customers we offer a Data Processing Agreement as a click-through addendum to our standard Terms of Service.

What we don't do

  • We don't sell candidate data. Ever. There is no advertising network, no data-monetization product line, no third-party data resale.
  • We don't train foundation models on a customer's candidate data without explicit, per-workspace opt-in. The default is opt-out.
  • We don't store payment card numbers. Card data flows through PCI-DSS-Level-1 gateways (Stripe / Paddle / Razorpay) — Recluto only ever sees the tokenized reference.

Reporting a vulnerability

We run a private vulnerability-disclosure program. If you've found a security issue, please email security@recluto.ai with:

  • A description of the issue and the impact you observed
  • Reproduction steps with the smallest payload that demonstrates the bug
  • Your name + a payment address if you want a bounty (we offer USD 250 to USD 5,000 depending on severity)

We acknowledge within 24 hours and ship a fix or interim mitigation within 7 days for high-severity issues. Please give us at least 14 days before public disclosure.

Need our security questionnaire?

Email security@recluto.ai from a corporate domain and we'll send the latest version under mutual NDA. Most reviews close in under three business days.

Interested in our broader trust posture? See the privacy policy, terms, DPA, and AI disclosure.