Security

All data in transit is protected by TLS 1.2 or higher. This applies to every request between your browser, our servers, and our database — there is no unencrypted path for data to travel.

Data at rest is encrypted by Supabase using AES-256 encryption at the storage layer. Database backups are also encrypted. Encryption keys are managed by Supabase's key management infrastructure and are not accessible to our application code.

User authentication is handled by Supabase Auth, which implements industry-standard security practices including bcrypt password hashing with a work factor appropriate for the current hardware environment.

Sessions are managed via short-lived JWT access tokens and long-lived refresh tokens stored in secure, HTTP-only cookies. Tokens are automatically rotated on each session refresh. We support email/password authentication and plan to add SSO (SAML 2.0) for enterprise customers.

Candidate assessment links are single-use tokenized URLs. Tokens are cryptographically random and scoped to a specific assessment session — a candidate cannot access any other session with the same link.

Every table in our PostgreSQL database is protected by Row-Level Security (RLS) policies enforced at the database layer. This means that even if application-level access control were bypassed, the database would still refuse to return data that the requesting user is not authorized to see.

Recruiters can only access assessments, questions, sessions, and scorecards belonging to their own organization. Candidates can only access the specific session they were invited to. Admin operations that require elevated privileges use a service role client that never touches the public API surface.

Our frontend and API routes are hosted on Vercel's global edge network, which provides DDoS mitigation, automatic HTTPS, and isolated serverless execution environments per request.

Our database runs on Supabase-managed PostgreSQL on AWS infrastructure. Supabase handles patching, backups, failover, and point-in-time recovery. We do not operate our own database servers.

We apply least-privilege principles across our infrastructure. Environment variables and secrets are stored in Vercel's encrypted secret store and are never committed to source code or exposed in client bundles.

Candidate assessment responses are sent to AI providers (OpenAI, Google Gemini, and/or Anthropic) solely for the purpose of generating evaluation scores and feedback. We do not share personally identifiable information (PII) such as candidate names or email addresses with AI providers — only the answer text and question context are transmitted.

As of March 2026, all three providers maintain API-use policies that state customer data submitted via their APIs is not used to train their models. We monitor these policies and will notify affected customers if terms change materially.

AI-generated scores are stored in our database and are accessible only to the recruiter who created the assessment. We do not pool or aggregate candidate data across organizations.

Payment processing is handled entirely by Razorpay, which is PCI-DSS Level 1 certified — the highest level of compliance available. We never store, log, or transmit full credit card numbers, CVV codes, or card expiry dates.

When you complete a payment, Razorpay returns a tokenized reference that we store to manage your subscription. Your raw payment details remain within Razorpay's PCI-compliant environment at all times.

If you discover a potential security vulnerability in AssessAI, we ask that you report it responsibly before public disclosure. Please email [email protected] with a description of the issue, reproduction steps, and your assessment of potential impact.

We will acknowledge receipt within 2 business days and work to assess and remediate confirmed vulnerabilities as quickly as possible. We appreciate researchers who practice responsible disclosure.