Enterprise security for AI hiring.
Vettika encrypts every interview at rest and in transit, enforces TOTP two-factor authentication, isolates tenant data at the query layer, and is actively pursuing SOC 2 Type II. Everything your security or procurement team needs before sign-off.
Short version
For busy security teams.
AES-256 at rest, TLS 1.3 in transit, TOTP 2FA enforced, tenant data isolated at the query layer, all primary infrastructure SOC 2 certified (Vercel + Neon), no audio retained after transcription, no training on your data. SOC 2 Type II audit period begins Q4 2026.
If your organisation uses a custom security questionnaire, email security@vettika.com — response within 5 business days.
Technical controls
What we ship by default.
Security controls active on every account — not add-ons, not enterprise-only.
Encryption at rest
All Neon Postgres data encrypted AES-256-GCM. Keys managed by the cloud provider HSM — not accessible to application code.
Encryption in transit
TLS 1.3 enforced on every connection. TLS 1.0 and 1.1 disabled. HSTS headers set on all responses.
TOTP two-factor authentication
RFC 6238 compliant authenticator app 2FA. Backup codes stored as bcrypt hashes — never in plaintext. Admin-mandated enforcement for team accounts.
Session security
HTTP-only, Secure, SameSite=Lax cookies. Inactivity-based expiry. New-device email alerts with one-click remote revoke from the account security page.
Distributed rate limiting
Upstash Redis rate limits enforced on all public endpoints. Auth routes carry tighter per-IP quotas. Cloudflare Turnstile on sign-in, sign-up, and password-reset flows.
Tenant data isolation
Every database read and write is filtered by recruiterId at the query layer — not just at the route level. Cross-tenant access is structurally impossible, not just policy-gated.
Infrastructure
Where your data lives and how it moves.
Every layer of the stack uses a SOC 2 certified provider or carries equivalent controls.
Application layer
Deployed to Vercel serverless functions, US regions. Vercel holds SOC 2 Type II certification. No persistent compute — each request is isolated. Vercel Edge Network handles DDoS mitigation and TLS termination.
Database
Neon Postgres on AWS us-east-1. SOC 2 Type II certified. Point-in-time recovery (PITR) enabled. Automated encrypted backups. Connection pooling via Neon's serverless driver — no connection string credentials in client bundles.
Voice and audio
Audio transported via LiveKit Cloud with end-to-end encrypted WebRTC. Deepgram converts speech to text in real time. Audio is not retained after transcription — only the text transcript is stored. No audio files exist post-session.
AI inference
Google Gemini 2.5 Flash via Google API. Google's API terms explicitly prohibit using API inputs for model training without customer opt-in. Vettika does not opt in. Transcript text is sent for inference and is not retained by Google.
Data residency
All data processing is US-based (AWS us-east-1 for Neon, Vercel US regions for compute). EU and APAC data residency options are on the enterprise roadmap. For EU transfers, standard DPAs with SCCs are available today — see /product/compliance or email legal@vettika.com.
Sub-processors
Every vendor that touches your data.
No hidden processors. Paid plan customers are notified 30 days in advance of any material sub-processor change.
| Vendor | Purpose | Data processed | Certification |
|---|---|---|---|
| Vercel | Application hosting + edge network | Request data, logs | SOC 2 Type II |
| Neon | Postgres database | All structured data | SOC 2 Type II |
| LiveKit Cloud | Real-time audio/video transport | Audio streams (ephemeral) | WebRTC E2E encryption |
| Deepgram | Speech-to-text transcription | Audio during session only — not retained | SOC 2 Type II |
| Google (Gemini) | LLM inference for interview + scoring | Transcript text — not used for training | ISO 27001 · SOC 2 |
| Cartesia | Text-to-speech (interviewer voice) | Synthesized text only — no candidate data | SOC 2 in progress |
| Resend | Transactional email delivery | Recipient email address + content | SOC 2 Type II |
| Upstash | Distributed rate limiting | IP address + counter — no PII | SOC 2 Type II |
| Cloudflare | Bot / CAPTCHA (Turnstile) | Browser signals — no PII stored | ISO 27001 · SOC 2 |
DPA requests and sub-processor questions: legal@vettika.com
Certifications
SOC 2 Type II: current status and roadmap.
We publish this because transparency is more useful than vague security claims.
Current status
- ✓Technical controls largely implemented (encryption, 2FA, rate limiting, tenant isolation — see Controls above)
- ✓Primary infrastructure providers (Vercel, Neon) each hold SOC 2 Type II independently
- ○Vettika itself is not yet SOC 2 certified — observation period has not begun
Roadmap
- Q3 2026Select compliance automation platform (Vanta or Drata evaluation underway)
- Q4 2026SOC 2 Type II observation period begins
- H2 2026Penetration test — results shared with enterprise customers under NDA
- Q2 2027Target SOC 2 Type II report issuance
In the meantime: custom security questionnaires answered within 5 business days via security@vettika.com. Enterprise annual plan customers receive a 30-minute security review call with the engineering team. See pricing →
FAQ
Security questions we hear most.
Is interview data used to train AI models?+
No. Google's API terms explicitly prohibit using API inputs to train or improve models without opt-in consent. Deepgram's API terms carry the same restriction. Vettika does not opt in to any training data programs on behalf of customers. Your candidate transcripts and scores are never used to train any model.
How long is candidate data retained?+
Data is retained for the life of your account plus 90 days after account closure, then permanently deleted. Individual candidate records can be deleted at any time from the candidate detail page. Deletion cascades to transcripts, scores, and linked interview sessions.
Can we sign a Data Processing Agreement (DPA)?+
Yes. A standard DPA is available for all paid plans. Standard Contractual Clauses (SCCs) are included for EU-to-US data transfers. Email legal@vettika.com with your company name and we will return a countersigned copy within 5 business days.
What is your breach notification process?+
In the event of a confirmed data breach affecting personal data, Vettika will notify affected customers within 72 hours of confirming the incident, consistent with GDPR Article 33. Notification will include the nature of the breach, categories of data affected, and remediation steps taken.
Do you support SSO or SAML?+
Not yet. Current authentication options are Google OAuth, email/password, and TOTP 2FA. SAML SSO for enterprise identity providers (Okta, Azure AD, etc.) is on the enterprise roadmap for H2 2026. Contact sales@vettika.com to be notified when it ships.
Is Vettika GDPR compliant?+
Vettika processes EU personal data under contractual necessity (Article 6(1)(b) GDPR). DPAs with SCCs are available for all paid plans. A full compliance overview — including CCPA, NYC Local Law 144 / AEDT, and data subject rights — is at /product/compliance. For AEDT bias audit documentation see /legal/aedt-bias-audit.
Full compliance documentation at /product/compliance · Privacy policy · AEDT bias audit · Vettika vs HireVue
Run compliant AI screening today.
Free tier includes 3 interviews — no credit card, no procurement blocker. Enterprise teams get a dedicated security review call. Reach us at security@vettika.com.