Security

1. Overview

Hiring data — candidate profiles, interview recordings, scoring rubrics, and offer decisions — is some of the most sensitive information a company processes. Casuro is built to protect that data end-to-end. This page summarizes our security program: the controls we have in place, the sub-processors we rely on, and how we respond when something goes wrong.

For specific questions, security documentation requests, or to report a vulnerability, please contact security@casuro.ai.

2. Compliance

Casuro is actively working toward SOC 2 Type II attestation. In the meantime, our security program is modeled on the SOC 2 Trust Services Criteria (Security, Availability, Confidentiality, and Privacy) and the practices described on this page reflect that alignment.

Casuro's SMS communications program is registered under A2P 10DLC with The Campaign Registry (TCR) and complies with CTIA messaging principles, the TCPA, and FCC guidance on consumer opt-in.

3. Product Security

3.1 Authentication

Casuro relies on an enterprise-grade identity provider for authentication. Supported methods include:

• Google Workspace and Microsoft 365 corporate accounts
• Email magic links and one-time passcodes
• SAML and OIDC single sign-on (SSO)
• Multi-factor authentication (MFA), including TOTP and passkeys

Session tokens are short-lived, rotated automatically, and transmitted exclusively over HTTPS using secure, signed cookies.

3.2 Authorization

Access to organization data is governed by a per-organization membership record. Every backend request is authorized server-side against the requesting user's active membership and role; clients cannot bypass these checks. Roles support fine-grained permissions across jobs, candidates, challenges, evaluations, and billing.

3.3 Tenant Isolation

Casuro is a multi-tenant SaaS platform. All data is partitioned by organization, and every query and mutation enforces organization-scoped access checks. Cross-organization data access is impossible through the product API.

4. Infrastructure & System Security

4.1 Hosting

The Casuro application, backend services, and file storage run on hardened, audited cloud infrastructure operated by leading providers. Production workloads are globally distributed across redundant regions, and file assets (resumes, cover letters, transcripts, recordings) are stored with object-level access controls.

4.2 Encryption in Transit

All traffic to and from Casuro is encrypted using TLS 1.2 or TLS 1.3. HSTS is enforced. We use modern cipher suites and regularly rotate certificates issued by trusted public certificate authorities.

4.3 Encryption at Rest

All persistent data — structured records, file uploads, call recordings, and backups — is encrypted at rest using industry-standard AES-256.

4.4 Network Security

Our infrastructure providers operate hardened, audited data centers with physical access controls, DDoS mitigation, network segmentation, and intrusion detection. Casuro production services are not directly addressable from the public internet outside of our managed edge endpoints.

5. Application Security

5.1 Secure Development

All code changes are reviewed by a qualified engineer before being merged. Pull requests run automated linting, type checking, and tests. Dependencies are continuously scanned for known vulnerabilities, and we apply security patches promptly.

5.2 Hardening

The Casuro frontend and API are protected against common web attacks including XSS, CSRF, SSRF, clickjacking, and injection. Inputs are validated server-side; outputs are escaped by default. We enforce strict Content Security Policy headers and same-origin cookies.

5.3 Rate Limiting & Abuse Prevention

Public endpoints — including the candidate-facing job application form — are rate-limited and protected by bot mitigation at the edge. Suspicious traffic is logged and can be blocked automatically.

5.4 Penetration Testing

We periodically engage independent security researchers to perform application and infrastructure penetration testing. Findings are triaged, prioritized, and remediated under our vulnerability management process.

6. Operational Security

6.1 Employee Access

Access to production systems and customer data follows the principle of least privilege. All employee accounts require MFA. Administrative actions are logged and reviewable. Access is revoked promptly upon role change or offboarding.

6.2 Endpoint Security

Employee workstations are required to use full-disk encryption, automatic screen lock, and current operating systems with security updates applied. Casuro does not use Windows workstations or servers in production.

6.3 Secrets Management

API keys, database credentials, and other secrets are stored in managed secret stores, never in source control. Access is scoped per-environment and rotated on personnel change.

6.4 Logging & Monitoring

Application, authentication, and infrastructure events are logged centrally with retention sufficient for incident investigation. Anomalies trigger alerts to the on-call engineer.

7. Reliability & Business Continuity

7.1 Backups

Structured data is backed up continuously with point-in-time-recovery. File assets in S3 are versioned and replicated. Backups are encrypted using the same AES-256 standard as live data.

7.2 Availability

Our hosting providers operate multi-region, redundant infrastructure. Casuro's serverless backend scales automatically; there is no single host whose failure can take the platform offline.

7.3 Disaster Recovery

We maintain a documented disaster recovery plan with defined recovery time and recovery point objectives, and exercise restore procedures periodically.

8. Data Privacy

Casuro processes personal data of customer employees and candidates in accordance with our Privacy Policy. We do not sell personal data, and we do not share mobile phone numbers, SMS opt-in data, or SMS consent with third parties or affiliates for marketing or promotional purposes.

Candidate data is retained according to the controlling organization's configuration and applicable law. Customers control deletion, export, and access requests for the data they hold in Casuro.

9. Sub-processors

Casuro relies on a limited set of vetted infrastructure and service providers to deliver the platform — for hosting and storage, identity, real-time media, transactional email, SMS delivery, AI features, and payment processing. Each provider is bound by contractual data protection terms and is selected for its published security posture.

A current list of sub-processors and the purpose of each is available to customers and prospective customers upon request under a mutual non-disclosure agreement. Material changes to this list are communicated to active customers in advance via email or in-product notice.

10. Incident Response

Casuro maintains a documented incident response process covering detection, triage, containment, eradication, recovery, and post-incident review. In the event of a security incident affecting customer data, Casuro will notify impacted customers promptly and in accordance with applicable law and contractual commitments.

To report a security concern, please email security@casuro.ai. For instructions on reporting potential vulnerabilities, see our Vulnerability Disclosure Policy.

11. Contact