Security & compliance
How Voxxhire treats candidate data.
AI-assisted, human-decided. Built so candidate data is handled the way the candidate would want it handled.
SOC 2
We're building toward enterprise-grade compliance — contact sales for current attestation status.
Data protection alignment
- • GDPR (EU) — aligned data handling.
- • UAE PDPL (Federal Decree-Law 45 of 2021) — aligned: explicit consent, retention, deletion.
- • KSA PDPL (Royal Decree M/19) — aligned.
- • India DPDP Act 2023 — aligned.
EEOC and NYC Local Law 144
Voxxhire is designed for EEOC-aware hiring: structured evaluation matrices applied consistently across candidates, advisory scoring with mandatory human review, audit-ready transcripts and reviewer notes. We do not perform facial analysis, emotion detection, or personality prediction.
For employers using Voxxhire for candidates resident in New York City, the customer is responsible for the candidate notification and annual bias audit required by NYC Local Law 144. We support this by providing structured audit data and clear AI-disclosure copy candidates can be shown.
Data residency
Default storage is region-nearest to the contracting customer. GCC-region storage is available for GCC customers on Growth and Enterprise plans; India-region storage is available for India customers on Growth and Enterprise plans.
Candidate consent
Explicit consent is captured before any recording begins. The consent surface explains what AI is doing, what data is collected, how long it is retained, and how the candidate can request deletion. Candidates can request deletion at any time.
Bias-mitigation methodology
See our bias-audit approach for the methodology, how we test, and what we surface to customers running their own audits.
What we do not do
No facial analysis. No emotion detection. No personality prediction. No autonomous hiring decisions.
Trust centre
Encryption & infrastructure
In transit
All traffic is encrypted in transit with TLS 1.2 or higher, and HTTP Strict Transport Security (HSTS) is enforced platform-wide.
At rest
Data is encrypted at rest by our infrastructure providers. Integration credentials and OAuth tokens are additionally encrypted at the application layer before storage.
Infrastructure
The application is hosted on Railway; the database and backend run on Convex. Customer data is isolated per tenant at the database layer.
Trust centre
Sub-processors
Convex
Database & serverless backend
Railway
Application hosting
Google Gemini
AI interview processing & scorecard generation
Resend
Transactional email — interview invites and account emails
Zoho Mail
Contact-form email delivery
PostHog
Product analytics — enabled per tenant
Full sub-processor list with processing regions is available on request.
Trust centre
Attestations & roadmap
SOC 2 Type II
We're building toward enterprise-grade compliance and assess ourselves against the SOC 2 Trust Services Criteria. Contact sales for current attestation status.
Penetration testing
Independent penetration testing is scheduled ahead of general availability; a summary will be available under NDA.
Trust centre
Data lifecycle
Consent first
Voxxhire captures and stores candidate consent before every interview begins. The consent record — timestamp, policy version, and the disclosure shown — is part of the audit trail.
Audit trail
Audit logs cover interview completion, AI score generation, reviewer decisions and overrides, data exports, and candidate deletions.
Retention & deletion
Retention is configurable per customer — interview transcripts default to 12 months and voice recordings to 90 days. Candidates can request deletion at any time. See our privacy policy for the full retention schedule.
Trust centre
Working with our security team
Responsible disclosure
Found a vulnerability? Email [email protected] — we acknowledge reports within two business days.
Data Processing Agreement
A Data Processing Agreement is available for review during procurement — request it via sales.