Security & compliance

Built for the way regulators are actually writing the rules.

Tenant isolation at the database layer. An architectural human-oversight commitment written into the system. A bias-audit data export you can hand an auditor. Built to support tenant compliance with three regulatory regimes on day one.

Human oversight — architectural, not marketing

Human oversight, architecturally.

CertAIn does not make hiring decisions. Every AI output is a recommendation to a human, and that constraint is codified in the architecture — not a paragraph in a terms document we could quietly change. Settings → Compliance → AI Oversight exposes this commitment read-only inside the product; tenants can export it for their own compliance review.

This line is what keeps CertAIn on the right side of NYC AEDT, Illinois AIVIA, and EU AI Act Annex III. Everything below flows from it.

Provenance: SAAS_ARCHITECTURE v1.5 changelog — "Human oversight guarantee: all AI output is a recommendation to a human, never automated decisioning."

  • AEDT
    NYC Local Law 144
  • AIVIA
    Illinois AI in hiring
  • EU AI Act
    Annex III — high-risk
  • SOC 2
    Type II — 2026 roadmap
How your data moves

How your data moves.

  • Tenant isolation. Every row in the database carries a tenant ID. Row-level security (RLS) policies enforce that a query from one tenant cannot return another tenant's rows — the database, not the application layer, is the gate. Super-admin impersonation is the only bypass path and is logged to an append-only audit trail visible to tenant admins.
  • Transit encryption. TLS 1.2+ on every hop, no exceptions.
  • At-rest encryption. PostgreSQL and Cloudflare R2 encryption, provider-managed. Integration API keys (Greenhouse, etc.) are additionally encrypted at the application layer using Fernet with a rotating master key.
  • File storage. Resume files and photos are stored in R2 under tenant-prefixed keys (tenants/{tenant_id}/...). Upload validation rejects non-resume MIME types at the edge; outbound fetch paths are SSRF-hardened.
  • Data residency. US-region PostgreSQL today. EU-region on the roadmap for enterprise deals requiring it.
What happens to resumes we send to the model

What happens to resumes we send to the model.

CertAIn uses Anthropic (Claude) as its AI provider. Per Anthropic's published commercial API terms, inputs submitted through the API are not used by default to train Anthropic's models. Anthropic retains inputs and outputs for up to 30 days for abuse-detection purposes under their published policy; CertAIn does not submit anything to third-party training pipelines. If your legal team needs the specifics, the current Anthropic Commercial Terms and Usage Policies are the authoritative source — we'll walk through them together on request.

Three frameworks your tenants need to satisfy — and the architecture that supports them

Three frameworks, one architecture.

NYC

NYC AEDT (Local Law 144)

IL

Illinois AIVIA

EU

EU AI Act (Annex III)

On the roadmap

SOC 2 — on the roadmap.

We are not SOC 2 Type II certified today. We are building to be audit-ready: scoped controls, logging, access review, secret rotation, and backup/DR procedures are documented and in operation. We'll begin a Type I audit once post-launch operational data covers a full three-month observation window — target start Q3 2026, with Type II following the observation period.

For enterprise deals that require a formal certification before close, we'll share the current control documentation and a target audit timeline under NDA — that's been enough to unblock early security reviews.

The artifact an auditor asks for

Bias audit — the artifact an auditor asks for.

The bias_audit export is a structured CSV with one row per AI action, covering: timestamp, JD, candidate ID (pseudonymous), action type, output category (rank position, fit tier, signal direction), and the model version that ran. It excludes demographic fields and free-text — by design, an auditor should be able to run it through their bias testing without touching content. Available through the same async export pipeline as the portability export; downloadable for 7 days after generation.

Clarity for legal review

What CertAIn does not do.

  • No automated rejection. CertAIn does not reject a candidate. It produces a recommendation; a human acts.
  • No resume → ATS status automation by default. If you wire up an ATS status update via integration, that's a deliberate tenant-side choice and logged.
  • No demographic inference by design. Our prompts explicitly forbid inference of age, gender, ethnicity, disability, or protected-class attributes from resumes, and we monitor outputs against this commitment. This is a strong control, not a mathematical guarantee.
  • No cross-tenant model training. Your data stays in your tenant. Aggregate cost / usage data is anonymized for internal operations only.
If something goes wrong

Incident response.

Security incidents are disclosed to affected tenants without unreasonable delay and in any event no later than 72 hours after confirmed identification, with a written post-mortem following within 14 days. Contact: jon@certainhr.ai (designated security contact during early-stage operations — will move to security@ once there's a team to staff it honestly).

Have your GC call ours.

Start free trial — no card requiredEmail Jon