Security

skilldeo processes sensitive data — including candidate video recordings, AI scores, and recruiter hiring workflows. We treat security as a core product requirement, not an afterthought.

This page explains the measures we take to protect your data across infrastructure, application, and organisational layers.

• Cloud hosting — Our platform runs on enterprise-grade cloud infrastructure with ISO 27001 and SOC 2 certifications
• Data centres — Production data is stored in geographically distributed data centres with physical security controls, biometric access, and 24/7 monitoring
• Network isolation — Application and database layers are isolated within virtual private clouds (VPCs) with strict firewall rules and no direct public access to databases
• DDoS protection — Automated traffic filtering and rate limiting protect against denial-of-service attacks
• Uptime — We maintain a 99.9% uptime SLA with automated failover and redundancy across availability zones

• In transit — All data transmitted between your browser and our servers is encrypted using TLS 1.2+ (HTTPS). We enforce HSTS headers and do not support legacy protocols
• At rest — All stored data — including video recordings, transcripts, AI scores, and user information — is encrypted at rest using AES-256 encryption
• Backup encryption — Database backups are encrypted and stored in separate, access-controlled storage

• OTP-based authentication — Recruiter login is secured with one-time password (OTP) verification
• Role-based access — Within an organisation, access to candidate data is restricted based on user roles. Team members see only the candidates and interviews relevant to their workflow
• Session management — Sessions are time-limited and automatically expire after periods of inactivity
• Internal access controls — skilldeo employees access production systems only through secured, logged, and audited channels. Access is granted on a least-privilege basis

• Secure development — Our engineering team follows secure coding practices including code review, dependency scanning, and automated testing
• Input validation — All user inputs are sanitised to prevent injection attacks (SQL injection, XSS, CSRF)
• API security — APIs are authenticated, rate-limited, and monitored for anomalous behaviour
• Dependency management — Third-party libraries are regularly audited for known vulnerabilities using automated scanning tools
• Penetration testing — We conduct periodic security assessments and penetration tests to identify and remediate vulnerabilities

Candidate video interviews contain sensitive personal data. We protect them with:

• Secure storage — Videos are stored in encrypted object storage with access controls limited to the recruiting organisation
• Signed URLs — Video playback URLs are time-limited and cannot be shared or accessed after expiry
• No third-party access — Video recordings are never shared with advertisers, data brokers, or any third parties outside the hiring process
• Retention controls — Recruiters can configure data retention periods. Expired data is automatically purged

• Model isolation — Our AI models run in isolated environments with no direct access to production databases
• No training on your data — Candidate videos and responses are not used to train or improve third-party AI models. Any internal model improvements use only anonymised, aggregated data with explicit consent
• Bias monitoring — We regularly audit AI scoring outputs for demographic bias and work to ensure fair, consistent evaluations across all candidates
• Human oversight — AI scores are advisory. All final hiring decisions are made by human recruiters, not automated systems

We align with recognised security and privacy standards:

• GDPR — We provide data subject rights (access, deletion, portability) and process data lawfully with clear purposes
• India IT Act — We comply with the Information Technology Act, 2000 and reasonable security practices under Indian law
• SOC 2 alignment — Our security controls align with SOC 2 Trust Service Criteria (security, availability, confidentiality)
• PCI compliance — Payment processing is handled by PCI DSS-compliant providers. We do not store credit card data

We maintain an incident response plan covering detection, containment, investigation, and notification:

• Detection — Automated monitoring and alerting for security anomalies across all systems
• Response — Dedicated security team with documented procedures for triage and remediation
• Notification — In the event of a confirmed data breach, we notify affected customers and relevant authorities within 72 hours as required by applicable law
• Post-incident review — All incidents are followed by root cause analysis and preventive action

We value the security research community. If you discover a vulnerability in our platform, we encourage responsible disclosure:

• Email us at social@skilldeo.ai with details of the vulnerability
• Please do not publicly disclose the issue until we have had an opportunity to investigate and remediate
• We will acknowledge your report within 2 business days and aim to resolve verified issues promptly

For security-related questions or concerns: