Security and Privacy Controls

Companies around the world are using Brainner to find their top applicants, while covering all their privacy and security needs.

Build custom AI applications with Brainner
GDPR Compliant

GDPR Compliant

We ensure all personal data is processed in accordance with GDPR regulations, guaranteeing lawful and transparent data handling.

CCPA Compliant

CCPA Compliant

Our platform is fully compliant with CCPA, protecting consumer rights and privacy with transparent data practices.

EU AI Compliant

EU AI Compliant

Brainner adheres to EU AI regulations, ensuring our AI systems are safe, transparent, and respect fundamental rights.

Customizable Data Retention

Customizable Data Retention

Set your preferred data retention policies and delete personal data at any point to comply with various regulations.

On-Demand Deletion

On-Demand Deletion

Easily delete one or many candidates’ data with a single click, ensuring prompt and secure data management.

Granular Access Controls

Granular Access Controls

Define user roles and permissions to control access to sensitive data and actions, enhancing security and compliance.

Your Security Questions, Answered

Feel free to ask any other questions you have about our security practices.

Where is your data centre located?

All our services and databases are in the us-east-1 region in AWS. AWS has been certified with multiple security certifications like ISO, HiTrust, PCI, SOC (1 and 2) and carries out penetration tests and other vulnerability assessments against their infrastructure. Certificates are available to download here.

Customers on an enterprise plan can request their data to be stored in the EU region.

How is data protected?

Web connections to Brainner services are via TLS 1.2. We support forward secrecy and AES-GCM, prohibiting insecure connections using TLS 1.0 and below or RC4.

At rest, our database and files (resumes) are encrypted via AWS Key Management Service (AWS KMS). AWS KMS provides robust security features, including hardware security modules (HSMs) that are certified under various security standards and seamless integration with other AWS services.

Access tokens and API keys provided by users to connect to third-party systems, like ATS, are encrypted via Evervault, a PCI Level 1 Compliance vendor, ensuring that Brainner cannot access the encrypted tokens, even in the worst-case scenario.

About logins and passwords

Brainner doesn’t store any user-generated passwords. To authenticate users, we send a one-time unique and time-limited code to their email address for validation. The temporary code is stored in the user session and encrypted, ensuring a secure and passwordless authentication process.

Data Access

Brainner employees don’t have access to production data. If we need to provide support for a customer, we explicitly ask for authorization, granting our support staff temporary access to the customer account. All access is monitored and logged to ensure transparency and security.

Data Backup

We perform a backup of the entire system every 6 hours and store it in a separate region. Backup records are kept for up to 30 days, ensuring data recovery in case of any unforeseen incidents.

Customer Data Segregation

Data is logically segregated, with each customer assigned a unique ID. Data is always stored using this primary key and identifier. When users authenticate, the token used to interact with our API embeds and encrypts this information, ensuring data isolation and security.

Security Awareness Program

We have a comprehensive security awareness program consisting of three stages:

1. Onboarding of New Employees: All new employees attend a security training session on protecting company data and devices, best security practices, and company-wide security requirements.

2. Ongoing Training: For technical roles, we conduct vulnerability tests and scans as part of our continuous integration pipeline and offer training on security best practices. We audit all employees’ accounts with external vendors quarterly to ensure 2FA authentication and validate service usage. Our customer support team adheres to strict rules regarding customer data access and sharing.

3. Post-Incident Response: While we have not experienced a security incident, we have a plan to communicate any incidents company-wide, implement necessary training, and ensure such incidents do not recur.

Patching Process for All Infrastructure

We use AWS Systems Manager Patch Manager to perform regular updates and patches on our servers. Maintenance windows are scheduled outside business hours with no downtime. Updates are rolled out one server at a time, and if issues are detected, changes are rolled back for manual intervention.

Security Hardening Guidelines for Computing and Network Infrastructure Devices

Production machines are secured within our production VPN, with no root or SSH access, and all ports blocked except those necessary for our services. We use Docker images to manage server environments and AWS CloudFormation to control our infrastructure.

Security Incident Response Procedure

In the event of a security incident, we will:

1. Contain the Threat: Stop necessary processes or services to prevent the incident from spreading.

2. Investigate: Determine the affected systems and potentially compromised data.

3. Repair: Implement changes to prevent recurrence.

4. Report: Notify affected customers with details about the incident and potential data breaches.

5. Training and Prevention: Train relevant teams and implement tools and processes to prevent future incidents.

Continuous Code Inspection

We use SonarQube as part of our Continuous Integration pipeline to inspect and detect vulnerabilities in our applications every time new code is pushed, ensuring ongoing code quality and security.