Built for procurement, not just demos.
Our current security posture, reviewed 27 jun 2026. We publish what’s true today and label what’s in progress — no overstated badges.
Every request is scoped to your workspace server-side; resource ids are re-verified on each call.
Candidate PII and salary are masked server-side (not UI-only) — masked roles can’t export or download raw CVs.
Google, Microsoft, or enterprise SSO. No open signup; company-email access only. SCIM on the enterprise tier.
Inbound webhooks are signature-verified (HMAC) and fail closed in production.
A static security review (27 Jun 2026) found 0 Critical and 0 High findings. Source review, not a penetration test.
Region placement available on request for qualifying plans.
These are targets we’re working toward — not current certifications.
We process candidate and recruiter data only to run your recruiting workflow, encrypt secrets at rest, and never sell data. Full detail is in our Privacy Policy. Security questions? rejento@resoftwa.com.