Trust Center
Use this page for procurement and security reviews: how we process candidate and customer data, which sub-processors we use, high-level technical and organizational measures, and a downloadable Data Processing Agreement.
Data Processing Agreement (DPA)
You can read the full agreement for procurement and legal review.
Security at a glance
- Inventory and due diligence on sub-processors that process personal data
- Contractual DPAs and standard contractual clauses where applicable
- Enterprise security questionnaires and SOC 2 materials available under NDA on request
Your account team can provide SOC 2 reports, completed questionnaires, and organization-specific terms under NDA where required.
Technical & organizational measures (TOMs)
Summary of controls we apply to protect confidentiality, integrity, and availability of data.
Encryption
Data in transit protected with TLS. Sensitive data at rest encrypted using industry-standard algorithms and key management practices appropriate to the environment.
Access control
Role-based access to production systems; principle of least privilege; administrative actions logged and reviewed.
Authentication
Strong password policies for customer accounts; multi-factor authentication (MFA) supported for administrator and sensitive operations where the product provides it.
Organization & governance
Security-conscious development practices, dependency and change management, and vendor review for sub-processors that handle personal data.
SOC 2 readiness
Controls and documentation aligned toward SOC 2 Type II; formal attestation may be shared under NDA as your security review progresses.
Sub-processor list
Third parties that may process personal data in connection with the service.
| Sub-processor | Purpose | Categories of data | Region / notes |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, storage, compute, databases, and CDN for the TestnHire platform and candidate data. | All platform data including account, assessment, and candidate content as processed by the service. | Configurable (e.g. primary region aligned with deployment; EU/US options for enterprise). |
| OpenAI (or equivalent LLM provider) | Optional AI-assisted features such as grading explanations, summarization, or content generation where enabled. | Content submitted to those features (e.g. responses, job text) per product configuration; minimized where possible. | Per vendor sub-processors and enterprise terms (e.g. US/EU data processing options). |
| SendGrid / Twilio SendGrid | Transactional email (invites, notifications, password resets, product communications). | Email addresses, message metadata, and content required to deliver email. | Typically United States; DPA available from vendor. |
| Payment processor (e.g. Stripe) | Billing, subscriptions, and payment processing where applicable. | Billing contact and payment-related records; card data handled per PCI-DSS by the processor. | Per processor and merchant configuration. |
| Analytics & monitoring (e.g. privacy-conscious analytics) | Product usage and reliability metrics to improve service quality. | Aggregated or pseudonymous usage data as configured to limit personal data. | Typically global edge; configurable for enterprise deployments. |
| Support & ticketing (e.g. Zendesk, Intercom, or similar) | Customer support, helpdesk, and issue resolution. | Contact details and case content you share with support. | Per vendor region selection. |
