Skip to main content

SECURITY OVERVIEW

Security and Compliance Overview

At Assessely, we understand that security and data protection are paramount when managing sensitive candidate and company information. This document outlines our comprehensive security measures, infrastructure, and compliance standards.

Hosting and Infrastructure

Data Centre Locations

Secure data: Cloud infrastructure with strict data controls
MongoDB Atlas: Managed database hosting with regional deployment

Backup and Recovery

Daily automated backups with point-in-time recovery available through MongoDB Atlas
Secure backup storage with encryption at rest

Encryption and Protection

AES-256 encryption at rest and in transit
DDoS protection enabled across all infrastructure
99.9% uptime target via Railway infrastructure
TLS 1.2+ encryption for all data transmission

Compliance Certifications

Railway: SOC 2 Type II and SOC 3 certified
Stripe: PCI DSS Level 1 certified
AWS S3: ISO 27001 and SOC 2 certified
MongoDB Atlas: SOC 2 and ISO 27001 certified

Database Security

Database Infrastructure

MongoDB Atlas for primary data storage with automatic encryption
AWS S3 for secure file storage (images, contracts, onboarding documents, background checks)
Server-side encryption using AES-256 with cloud provider-managed keys

Access Control

SSL/TLS encrypted connections for all database communications
Daily automated backups with secure storage

Application Security

Authentication and Authorisation

Multi-factor authentication (MFA) available for all users, supporting authenticator app (TOTP), email OTP, and backup codes
Password hashing using bcrypt algorithm
Strong password requirements: Uppercase, lowercase, numbers, special characters, 10+ characters
24-hour access token expiry with 7-day refresh token lifetime
Account lockout after 5 failed login attempts with automatic unlocking

API Security

JWT authentication with role-based access control (RBAC)
Stateless JWT authentication on all API endpoints, eliminating session-based attack vectors
HTTPS enforced across all endpoints
Rate limiting on all authentication endpoints, including login, password reset, MFA verification, registration, and credential changes

Role-Based Access Control

Granular permission system with configurable roles controlling access to candidates, roles, teams, assessments, billing, and settings
Resource-level visibility controls: Private, team-wide, or shared with specific users

Security Measures

Input Validation and Protection

NoSQL injection protection via ORM (Mongoose) and input sanitisation
XSS protection through default sanitisation library
File upload validation with format-specific restrictions enforced per upload type
Comprehensive input sanitisation

Security Headers

Content Security Policy (CSP) enabled with strict directives: self-only default source, no inline scripts, no iframes
X-Frame-Options configured to prevent clickjacking
HTTP Strict Transport Security (HSTS) enabled

File Storage and Management

Encrypted by default using AES-256 AWS encryption standards
Automated backup and versioning enabled
Strict access control (engineer-level only)
Temporary signed URLs for secure document access with 5-minute expiry. No permanent public document links.
Files retained until purged by authorised user

Logging and Monitoring

Comprehensive error and debug logging
Structured logging with file rotation and size-based management
Security event logging including authentication failures, injection attempt detection, and audit trail entries
Restricted log access (senior engineer only)
Integrated Railway monitoring for uptime and performance

Payment Security

Zero Payment Data Storage: Assessely does not store any payment card data. All payment processing is handled securely by Stripe.

Stripe webhooks secured with signature verification
Only Stripe customer ID stored for subscription management
Full PCI DSS compliance through Stripe

Data Handling and Privacy

Data Collected

Candidate data: Name, email, phone number (if provided)
Client/company information as required for platform functionality
Assessment results and performance data

Data Retention and Deletion

Data lifecycle managed by authorised company users through archive and permanent deletion controls
Both archive (soft delete) and permanent deletion available
Clients maintain full control over data lifecycle

Internal Access Management

Production and database access strictly limited to senior engineer
Separate environments: Development, staging, and production
Zero production data used in development or staging
Formal offboarding process for immediate access revocation

Third-Party Service Providers

Service
Purpose
Certification
Railway
Platform Hosting
SOC 2 Type II, SOC 3
Stripe
Payment Processing
PCI DSS Level 1
AWS S3
File Storage
ISO 27001, SOC 2
MongoDB Atlas
Database
SOC 2, ISO 27001

More free tools

Hiring Compliance Checklist

Ensure your hiring process meets compliance standards.

Hiring Health Check

Assess the overall health of your recruitment process.

Candidate Experience Scorecard

Rate and benchmark your candidate experience.

View all free tools

GET STARTED

Secure, compliant, and transparent

We are committed to transparency and protecting your data with industry-standard security. Contact us to learn more.

Start free trialMore Free Tools

No credit card charged until trial ends · Cancel any time · Secure data storage