Data & Security

Executive Summary

Pier is committed to enterprise-grade data security and privacy protection. While we are an early-stage product currently in pilot phase, we adhere to American enterprise compliance standards with SOC 2-aligned controls and maintain flexibility to meet client-specific security requirements.

This document provides a high-level overview of our current data governance practices and our commitment to evolving alongside our clients’ security needs.

Data Security & Protection

Encryption

Data in Transit:

All data transmitted to and from Pier is encrypted using industry-standard HTTPS/TLS protocols
Real-time voice communications utilize encrypted WebRTC connections
All API endpoints enforce encrypted connections

Data at Rest:

All stored data is encrypted at rest using enterprise-grade encryption
We utilize well-known, certified infrastructure providers that maintain their own security certifications
Database encryption is managed through certified cloud database providers
Voice recordings and candidate artifacts are stored in encrypted object storage

Infrastructure Security

Cloud Infrastructure: Hosted on enterprise-certified cloud providers with 99.9%+ uptime SLAs
Database: Managed PostgreSQL with automated backups, point-in-time recovery, and encryption at rest
Application Hosting: Serverless architecture with automatic scaling and built-in DDoS protection
Voice Storage: Enterprise object storage with encryption, versioning, and lifecycle management

Access Control & Authentication

Authentication

Secure authentication using industry-standard OAuth 2.0 protocols
Database-backed session management with secure session tokens
Multi-factor authentication support available upon request

Authorization & Access Control

Role-based access control (RBAC) architecture
Granular permissions for different user types (administrators, hiring managers, interviewers, candidates)
Access controls customizable to meet client-specific requirements
Session-based authorization enforced at both UI and API layers

Secrets Management

Production secrets managed via secure cloud environment variable systems
No credentials stored in code or version control
Automated secret rotation capabilities

Audit & Compliance

Audit Logging

Application-level audit logging of key user actions and system events
Logging capabilities expandable to meet client-specific requirements
We work collaboratively with clients to implement additional logging for compliance needs

Compliance Posture

SOC 2 Alignment: Following SOC 2-aligned security controls and best practices
GDPR Considerations: While not EU-based, we implement GDPR-inspired data protection principles
Data Processing Agreement: Standard DPA available for all pilot and production clients
Privacy by Design: Security and privacy considerations integrated into product development

Data Governance Framework

Data Retention:

Configurable retention periods based on client requirements
Automated data lifecycle management capabilities
Secure deletion protocols for data removal requests

Data Deletion:

Secure data deletion processes following industry best practices
Support for right-to-erasure requests
Complete removal from active systems and backups within defined timeframes

Data Access Requests:

Processes in place to support data subject access requests
Ability to export candidate and interview data in standard formats
Transparent data handling practices

API Security

Input Validation

All API inputs validated using strict schema validation
Protection against injection attacks and malformed data
Type-safe APIs preventing common security vulnerabilities

API Authentication

API key-based authentication for system integrations
Secure webhook implementations for ATS integrations
Rate limiting and abuse prevention mechanisms

Integration Security

ATS & Third-Party Integrations

Secure webhook-based integrations with industry-standard authentication
Configurable data payloads to share only necessary information
Support for custom integration security requirements
Engineering support available during pilot to configure integrations securely

Incident Response & Support

Security Incident Response

Defined incident response procedures
Rapid notification to affected clients in case of security incidents
Transparent communication about security events

Ongoing Security Support

Dedicated engineering support during pilot phase
Flexible adaptation to client-specific security requirements
Regular security reviews and updates
Proactive communication about security enhancements

Language & Localization

Current Language Support

Production system operates in English
Brazilian Portuguese and Spanish support planned for Q1 2026
Pilot partners will help shape multilingual releases
Security and compliance practices consistent across all language implementations

Client-Specific Customization

As an early-stage product working closely with pilot partners, we maintain flexibility to:

Implement additional audit logging as required
Customize access control models for specific organizational needs
Adapt data retention policies to meet regulatory requirements
Provide additional security documentation and evidence as needed
Configure integrations to meet client security standards
Support client security audits and assessments

Data Governance Roadmap

We are actively developing and enhancing our security and compliance posture:

In Progress: SOC 2 Type II certification process
Planned: Enhanced audit logging and reporting capabilities
Planned: Advanced role-based access control features
Planned: Automated compliance reporting
Ongoing: Regular security assessments and penetration testing
Ongoing: Infrastructure security hardening

Contact & Questions

For specific security questions, custom requirements, or to request our Data Processing Agreement (DPA), please contact:

Brandon John-Freso, CTO Brandon@pier.so

We’re committed to transparency and working collaboratively with our clients to meet their security and compliance needs.