Security and Privacy Controls
Companies around the world are using Brainner to find their top applicants, while covering all their privacy and security needs.
GDPR Compliant
We ensure all personal data is processed in accordance with GDPR regulations, guaranteeing lawful and transparent data handling.
CCPA Compliant
Our platform is fully compliant with CCPA, protecting consumer rights and privacy with transparent data practices.
EU AI Compliant
Brainner adheres to EU AI regulations, ensuring our AI systems are safe, transparent, and respect fundamental rights.
Customizable Data Retention
Set your preferred data retention policies and delete personal data at any point to comply with various regulations.
On-Demand Deletion
Easily delete one or many candidates’ data with a single click, ensuring prompt and secure data management.
Granular Access Controls
Define user roles and permissions to control access to sensitive data and actions, enhancing security and compliance.
Your Security Questions, Answered
Feel free to ask any other questions you have about our security practices.
All our services and databases are in the us-east-1 region in AWS. AWS has been certified with multiple security certifications like ISO, HiTrust, PCI, SOC (1 and 2) and carries out penetration tests and other vulnerability assessments against their infrastructure. Certificates are available to download here.
Customers on an enterprise plan can request their data to be stored in the EU region.
Data is encrypted both at rest and in transit. Web connections to Brainner services are secured using TLS 1.2 with support for forward secrecy and AES-GCM, disallowing insecure protocols like TLS 1.0 or RC4.
Our database, backups, and files (such as resumes) are encrypted at rest. Files are also anonymized following HIPAA best practices.
Access tokens and API keys for third-party integrations are securely managed using AWS Key Management Service (KMS), which includes hardware security modules (HSMs) certified under various security standards, ensuring robust encryption and seamless AWS integration.
Brainner doesn’t store any user-generated passwords. To authenticate users, we send a one-time unique and time-limited code to their email address for validation. The temporary code is stored in the user session and encrypted, ensuring a secure and passwordless authentication process.
Brainner employees don’t have access to production data. If we need to provide support for a customer, we explicitly ask for authorization, granting our support staff temporary access to the customer account. All access is monitored and logged to ensure transparency and security.
We perform a backup of the entire system every 6 hours and store it in a separate region. Backup records are kept for up to 30 days, ensuring data recovery in case of any unforeseen incidents.
Data is logically segregated, with each customer assigned a unique ID. Data is always stored using this primary key and identifier. When users authenticate, the token used to interact with our API embeds and encrypts this information, ensuring data isolation and security.
We have a comprehensive security awareness program consisting of three stages:
1. Onboarding of New Employees: All new employees attend a security training session on protecting company data and devices, best security practices, and company-wide security requirements.
2. Ongoing Training: For technical roles, we conduct vulnerability tests and scans as part of our continuous integration pipeline and offer training on security best practices. We audit all employees’ accounts with external vendors quarterly to ensure 2FA authentication and validate service usage. Our customer support team adheres to strict rules regarding customer data access and sharing.
3. Post-Incident Response: While we have not experienced a security incident, we have a plan to communicate any incidents company-wide, implement necessary training, and ensure such incidents do not recur.
We use AWS Systems Manager Patch Manager to perform regular updates and patches on our servers. Maintenance windows are scheduled outside business hours with no downtime. Updates are rolled out one server at a time, and if issues are detected, changes are rolled back for manual intervention.
Production machines are secured within our production VPN, with no root or SSH access, and all ports blocked except those necessary for our services. We use Docker images to manage server environments and AWS CloudFormation to control our infrastructure.
In the event of a security incident, we will:
1. Contain the Threat: Stop necessary processes or services to prevent the incident from spreading.
2. Investigate: Determine the affected systems and potentially compromised data.
3. Repair: Implement changes to prevent recurrence.
4. Report: Notify affected customers with details about the incident and potential data breaches.
5. Training and Prevention: Train relevant teams and implement tools and processes to prevent future incidents.
We use SonarQube as part of our Continuous Integration pipeline to inspect and detect vulnerabilities in our applications every time new code is pushed, ensuring ongoing code quality and security.