Data Security

How we protect your data and your candidates' information

Our Commitment to Security

At Graphite AI, we understand that your candidates' information is your livelihood. Security isn't an afterthought—it's foundational to everything we build. We implement enterprise-grade security measures to ensure your data remains protected at every stage.

Infrastructure Security

SOC 2 Type II Compliant

Our infrastructure is hosted on SOC 2 Type II certified platforms, ensuring continuous monitoring and verification of security controls covering availability, security, processing integrity, confidentiality, and privacy.

End-to-End Encryption

All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. API credentials and sensitive configuration data are encrypted with additional layers of protection using envelope encryption.

Isolated Environments

Every client receives a dedicated, isolated environment. Your data is never commingled with other agencies. Each deployment has its own database, encryption keys, and access controls.

Access Controls

  • Role-based access control (RBAC) for all systems
  • Multi-factor authentication (MFA) required for all administrative access
  • Principle of least privilege enforced across all operations
  • Regular access reviews and automatic deprovisioning
  • Detailed audit logs of all data access and modifications
  • Session management with automatic timeout and invalidation

Data Protection

  • Automated daily backups with point-in-time recovery
  • Geographically distributed backup storage
  • Regular backup restoration testing
  • Data retention policies aligned with your requirements
  • Secure data deletion procedures upon contract termination
  • No data sharing or selling to third parties—ever

Compliance

GDPR Compliant

Full compliance with the General Data Protection Regulation. We provide Data Processing Agreements (DPA) upon request and support all data subject rights.

CCPA Ready

Compliant with the California Consumer Privacy Act. We support consumer rights including access, deletion, and opt-out requests.

ATS Integration Security

When integrating with your ATS (Bullhorn, JobAdder, Lever, Greenhouse, etc.), we follow strict security protocols:

  • OAuth 2.0 authentication where supported
  • API credentials stored in encrypted vaults
  • Minimal permission scopes requested
  • Real-time sync without data duplication where possible
  • Automatic credential rotation policies
  • Immediate revocation capabilities

Incident Response

We maintain a comprehensive incident response plan that includes:

  • 24/7 security monitoring and alerting
  • Defined escalation procedures and response team
  • Client notification within 72 hours of any confirmed breach
  • Post-incident analysis and remediation
  • Regular incident response drills and plan updates

Employee Security

  • Background checks for all employees with data access
  • Mandatory security awareness training
  • Confidentiality agreements and NDAs
  • Secure development practices and code review
  • Regular security training updates

Vendor Management

All third-party vendors and subprocessors undergo security assessment before engagement. We maintain a list of subprocessors and will notify you of any changes. Our primary infrastructure providers include AWS and Google Cloud, both of which maintain SOC 2, ISO 27001, and other relevant certifications.

Security Assessments

We conduct regular security assessments including:

  • Annual third-party penetration testing
  • Continuous automated vulnerability scanning
  • Regular code security audits
  • Dependency vulnerability monitoring

Questions?

If you have questions about our security practices or would like to request our SOC 2 report, DPA, or other security documentation, please contact us:

Email: caleb@graphitelabs.ai