New: AI now shows you why each candidate was ranked.Try it free

Security at HeadHonta

Protecting your data is fundamental to everything we build. We implement industry-leading security practices to keep your recruitment data safe.

Last updated: March 9, 2026

How We Protect Your Data

Encryption

All data is encrypted in transit using TLS 1.2+ and at rest at the infrastructure level (AES-256 volume encryption). Database connections are encrypted and credentials are never stored in plaintext.

Authentication

Passwords are hashed using bcrypt with a high cost factor. JWT tokens are signed with strong secrets and expire after 15 minutes. Refresh tokens are rotated on use.

Infrastructure

Hosted on SOC 2-certified cloud infrastructure with automated backups, DDoS protection, and network-level firewalls. Production access is restricted to authorised personnel.

Access Controls

Role-based access control (RBAC) is enforced across the platform. Team members only see data relevant to their role. All access is logged and auditable.

Vulnerability Management

Dependencies are scanned continuously for known vulnerabilities. We conduct regular security assessments and patch critical issues within 24 hours.

Employee Security

All team members complete security awareness training. Access follows the principle of least privilege. Production systems require multi-factor authentication.

Application Security

Input Validation & Injection Prevention

All user inputs are validated and sanitised. We use parameterised queries (via Prisma ORM) to prevent SQL injection, and output encoding to prevent cross-site scripting (XSS). Request sizes are limited and file uploads are validated by type and size.

API Security

Rate limiting is enforced on authentication endpoints and expensive operations. CORS is configured for specific allowed origins only (no wildcards with credentials). Security headers (HSTS, CSP, X-Frame-Options) are applied via Helmet. All API endpoints require authentication except public marketing pages.

AI Data Handling

When candidate data is processed by AI features, it is sent to OpenRouter, an AI gateway that routes prompts to underlying model providers. We request that these providers not use your data for model training, though this depends on the routed provider's terms. AI requests are made server-side only — candidate data is never sent directly from the browser to third-party AI services.

Data Backup & Recovery

Databases are backed up daily with point-in-time recovery available. Backups are encrypted and stored in a separate geographic region. We test restoration procedures regularly to ensure data can be recovered in the event of an incident.

Compliance

HeadHonta is built to comply with major data protection regulations and security frameworks:

  • GDPR (EU/UK)
  • CCPA/CPRA (California)
  • NDPA (Nigeria)
  • PIPEDA (Canada)
  • SOC 2-aligned practices
  • OWASP Top 10 protection

For detailed GDPR compliance information, see our GDPR Compliance page.

Incident Response

We maintain a documented incident response plan that includes:

  • 24/7 monitoring for security anomalies.
  • Defined incident severity levels with corresponding response times.
  • Breach notification to affected users and relevant supervisory authorities within 72 hours (as required by GDPR).
  • Post-incident review and remediation.

Responsible Disclosure

We value the security research community. If you discover a vulnerability, please report it responsibly.

  • Email: security@headhonta.com
  • We will acknowledge your report within 48 hours.
  • We will not take legal action against researchers who act in good faith and follow responsible disclosure practices.
  • Please allow us reasonable time to remediate before public disclosure.