Skip to main content
Security & compliance · SOC 2 Type II in progress

Enterprise security for AI hiring.

Vettika encrypts every interview at rest and in transit, enforces TOTP two-factor authentication, isolates tenant data at the query layer, and is actively pursuing SOC 2 Type II. Everything your security or procurement team needs before sign-off.

AES-256-GCMTLS 1.3TOTP 2FANeon SOC 2 IIVercel SOC 2 II

Short version

For busy security teams.

AES-256 at rest, TLS 1.3 in transit, TOTP 2FA enforced, tenant data isolated at the query layer, all primary infrastructure SOC 2 certified (Vercel + Neon), no audio retained after transcription, no training on your data. SOC 2 Type II audit period begins Q4 2026.

If your organisation uses a custom security questionnaire, email security@vettika.com — response within 5 business days.

Technical controls

What we ship by default.

Security controls active on every account — not add-ons, not enterprise-only.

AES-256-GCM

Encryption at rest

All Neon Postgres data encrypted AES-256-GCM. Keys managed by the cloud provider HSM — not accessible to application code.

TLS 1.3

Encryption in transit

TLS 1.3 enforced on every connection. TLS 1.0 and 1.1 disabled. HSTS headers set on all responses.

RFC 6238

TOTP two-factor authentication

RFC 6238 compliant authenticator app 2FA. Backup codes stored as bcrypt hashes — never in plaintext. Admin-mandated enforcement for team accounts.

SameSite=Lax

Session security

HTTP-only, Secure, SameSite=Lax cookies. Inactivity-based expiry. New-device email alerts with one-click remote revoke from the account security page.

Upstash Redis

Distributed rate limiting

Upstash Redis rate limits enforced on all public endpoints. Auth routes carry tighter per-IP quotas. Cloudflare Turnstile on sign-in, sign-up, and password-reset flows.

Query-layer

Tenant data isolation

Every database read and write is filtered by recruiterId at the query layer — not just at the route level. Cross-tenant access is structurally impossible, not just policy-gated.

Infrastructure

Where your data lives and how it moves.

Every layer of the stack uses a SOC 2 certified provider or carries equivalent controls.

Application layer

Deployed to Vercel serverless functions, US regions. Vercel holds SOC 2 Type II certification. No persistent compute — each request is isolated. Vercel Edge Network handles DDoS mitigation and TLS termination.

Database

Neon Postgres on AWS us-east-1. SOC 2 Type II certified. Point-in-time recovery (PITR) enabled. Automated encrypted backups. Connection pooling via Neon's serverless driver — no connection string credentials in client bundles.

Voice and audio

Audio transported via LiveKit Cloud with end-to-end encrypted WebRTC. Deepgram converts speech to text in real time. Audio is not retained after transcription — only the text transcript is stored. No audio files exist post-session.

AI inference

Google Gemini 2.5 Flash via Google API. Google's API terms explicitly prohibit using API inputs for model training without customer opt-in. Vettika does not opt in. Transcript text is sent for inference and is not retained by Google.

Data residency

All data processing is US-based (AWS us-east-1 for Neon, Vercel US regions for compute). EU and APAC data residency options are on the enterprise roadmap. For EU transfers, standard DPAs with SCCs are available today — see /product/compliance or email legal@vettika.com.

Sub-processors

Every vendor that touches your data.

No hidden processors. Paid plan customers are notified 30 days in advance of any material sub-processor change.

VendorPurposeData processedCertification
VercelApplication hosting + edge networkRequest data, logsSOC 2 Type II
NeonPostgres databaseAll structured dataSOC 2 Type II
LiveKit CloudReal-time audio/video transportAudio streams (ephemeral)WebRTC E2E encryption
DeepgramSpeech-to-text transcriptionAudio during session only — not retainedSOC 2 Type II
Google (Gemini)LLM inference for interview + scoringTranscript text — not used for trainingISO 27001 · SOC 2
CartesiaText-to-speech (interviewer voice)Synthesized text only — no candidate dataSOC 2 in progress
ResendTransactional email deliveryRecipient email address + contentSOC 2 Type II
UpstashDistributed rate limitingIP address + counter — no PIISOC 2 Type II
CloudflareBot / CAPTCHA (Turnstile)Browser signals — no PII storedISO 27001 · SOC 2

DPA requests and sub-processor questions: legal@vettika.com

Certifications

SOC 2 Type II: current status and roadmap.

We publish this because transparency is more useful than vague security claims.

Current status

  • Technical controls largely implemented (encryption, 2FA, rate limiting, tenant isolation — see Controls above)
  • Primary infrastructure providers (Vercel, Neon) each hold SOC 2 Type II independently
  • Vettika itself is not yet SOC 2 certified — observation period has not begun

Roadmap

  • Q3 2026Select compliance automation platform (Vanta or Drata evaluation underway)
  • Q4 2026SOC 2 Type II observation period begins
  • H2 2026Penetration test — results shared with enterprise customers under NDA
  • Q2 2027Target SOC 2 Type II report issuance

In the meantime: custom security questionnaires answered within 5 business days via security@vettika.com. Enterprise annual plan customers receive a 30-minute security review call with the engineering team. See pricing →

FAQ

Security questions we hear most.

Is interview data used to train AI models?+

No. Google's API terms explicitly prohibit using API inputs to train or improve models without opt-in consent. Deepgram's API terms carry the same restriction. Vettika does not opt in to any training data programs on behalf of customers. Your candidate transcripts and scores are never used to train any model.

How long is candidate data retained?+

Data is retained for the life of your account plus 90 days after account closure, then permanently deleted. Individual candidate records can be deleted at any time from the candidate detail page. Deletion cascades to transcripts, scores, and linked interview sessions.

Can we sign a Data Processing Agreement (DPA)?+

Yes. A standard DPA is available for all paid plans. Standard Contractual Clauses (SCCs) are included for EU-to-US data transfers. Email legal@vettika.com with your company name and we will return a countersigned copy within 5 business days.

What is your breach notification process?+

In the event of a confirmed data breach affecting personal data, Vettika will notify affected customers within 72 hours of confirming the incident, consistent with GDPR Article 33. Notification will include the nature of the breach, categories of data affected, and remediation steps taken.

Do you support SSO or SAML?+

Not yet. Current authentication options are Google OAuth, email/password, and TOTP 2FA. SAML SSO for enterprise identity providers (Okta, Azure AD, etc.) is on the enterprise roadmap for H2 2026. Contact sales@vettika.com to be notified when it ships.

Is Vettika GDPR compliant?+

Vettika processes EU personal data under contractual necessity (Article 6(1)(b) GDPR). DPAs with SCCs are available for all paid plans. A full compliance overview — including CCPA, NYC Local Law 144 / AEDT, and data subject rights — is at /product/compliance. For AEDT bias audit documentation see /legal/aedt-bias-audit.

Full compliance documentation at /product/compliance · Privacy policy · AEDT bias audit · Vettika vs HireVue

Run compliant AI screening today.

Free tier includes 3 interviews — no credit card, no procurement blocker. Enterprise teams get a dedicated security review call. Reach us at security@vettika.com.

Color scheme toggle
AI Hiring Software Security & Compliance | Vettika