Trust & Security Center
Security at TalentLane
We design security into every layer of the platform — from infrastructure and encryption to AI transparency and compliance readiness.
Contents
1 Security Overview
TalentLane is operated by NEXTCORE AI LLC, a West Virginia limited liability company. We design security into every layer of the platform — from the underlying AWS infrastructure and encryption in transit and at rest, to application-level controls and AI model transparency.
This page describes our current security practices and is intended for enterprise procurement teams, IT security reviewers, and customers evaluating TalentLane as a vendor. For questions not answered here, contact security@talentlane.biz.
2 Infrastructure & Hosting
Production infrastructure is hosted entirely on Amazon Web Services (AWS) in the us-east-2 (Ohio) region:
- EC2 instances behind an Application Load Balancer (ALB) in an Auto Scaling Group — security groups restrict inbound traffic to the ALB only
- TLS terminates at the ALB using AWS Certificate Manager (ACM) — no self-signed certificates in production
- Amazon S3 for file storage. Resume files are private and served only via time-limited pre-signed URLs (15-minute TTL). Company logos, banners, and gallery images are served via public HTTPS URLs using a selective bucket policy — no personal or sensitive data is stored in public prefixes.
- PostgreSQL 15 database running within the AWS VPC, not exposed to the public internet
| Component | Provider | Region |
|---|---|---|
| Application Load Balancer | Amazon Web Services | us-east-2 |
| EC2 (application servers) | Amazon Web Services | us-east-2 |
| S3 (file storage) | Amazon Web Services | us-east-2 |
| SES (transactional email) | Amazon Web Services | us-east-2 |
| SNS (bounce/complaint events) | Amazon Web Services | us-east-2 |
| Authentication | Auth0 (Okta) | US region |
| Payment processing | Stripe | United States |
3 Data Encryption
- In transit: TLS 1.2+ enforced on all connections between browsers and the ALB. HTTP is redirected to HTTPS. All inter-service calls within AWS use encrypted channels.
- At rest: All files uploaded to Amazon S3 use Server-Side Encryption (AES256 / SSE-S3), regardless of whether they are served privately or publicly.
- Session cookies: Signed and encrypted;
HttpOnly,Secure, andSameSite=Laxattributes set on all session tokens. - Passwords: Not stored by TalentLane. All credential management is delegated to Auth0 (Okta), which maintains its own security certifications.
- Payment card data: Never reaches TalentLane servers. All payment processing is handled entirely by Stripe (PCI DSS Level 1 certified). We store only a Stripe customer identifier.
4 Authentication & Access Control
- All user authentication is handled by Auth0 (Okta), supporting Google OAuth and email/password with MFA options. Auth0 manages brute-force protection, credential storage, and MFA enforcement.
- Role-based access control (RBAC) is enforced at every route:
seeker,employer,recruiter, andadminroles each have distinct, non-overlapping permission scopes. - Admin-level routes require an explicit admin role flag set by an existing administrator — no privilege escalation is possible through normal user flows.
- Sessions expire after 14 days of inactivity.
- For Auth0's own security certifications (SOC 2, ISO 27001), see auth0.com/security.
5 Application Security
- SQL injection prevention: All database queries use parameterized placeholders (psycopg2
%s) — no dynamic SQL string construction anywhere in the codebase. - XSS prevention: All user-supplied content is rendered through Jinja2's auto-escaping — HTML is escaped at the template layer before output.
- File upload security: Uploaded files are validated by type and stored directly to S3 — they are never written to the server's filesystem and never executed.
- CSRF protection: Implemented via signed session cookies and
SameSite=Laxcookie policy, limiting cross-site request forging vectors. - Third-party JavaScript: No external CDN-hosted JavaScript is loaded on authenticated pages — reducing third-party supply chain risk.
- Dependency management: Python packages are pinned in
requirements.txtand reviewed on every update before deployment.
6 AI Fairness & Bias Transparency
TalentLane's AI features are advisory tools — employers make all final hiring decisions. No AI output on this platform automatically determines hiring outcomes or replaces human judgment.
- Our candidate matching model scores candidate-job fit based on skills, experience, and role requirements — it does not consider or infer protected characteristics (race, gender, age, national origin, disability status).
- Resume data sent to AI models is processed without demographic inference. We do not use or permit proxy signals for protected classes in our AI prompts or scoring logic.
- AI outputs — including resume scores, job quality scores, and candidate match scores — do not feed automatically into any hiring decision without human review.
- Employers are responsible for their own compliance with applicable employment law, including EEOC, OFCCP, and state-level fair employment requirements, in their use of TalentLane's AI tools.
- We review AI prompt design periodically and update prompts to reduce the potential for biased outputs.
- Enterprise customers may request a summary of AI model behavior, prompt design, and subprocessor details by contacting security@talentlane.biz.
7 Subprocessors & Vendors
The following third-party subprocessors may process Personal Data on behalf of TalentLane. Each is contractually bound to appropriate data protection obligations.
| Subprocessor | Service | Data Processed | Security Certification |
|---|---|---|---|
| Auth0 (Okta) | Authentication & identity | Email, OAuth ID, display name | SOC 2 Type II, ISO 27001 |
| Amazon Web Services | Hosting, S3, SES, SNS | Files, emails, delivery events | SOC 2 Type II, ISO 27001, PCI DSS |
| Stripe | Payment processing | Billing metadata only — no candidate or seeker data | PCI DSS Level 1, SOC 1 & 2 |
| Anthropic | Claude AI API | Resume text, job descriptions (on-demand only, when AI features are used) | SOC 2 Type II |
| PostgreSQL (self-hosted) | Application database | All application data | Secured within AWS VPC; access restricted |
A full list of subprocessors with data processing details is available in our Data Processing Agreement.
8 Incident Response & Breach Notification
- We maintain an internal incident response process covering detection, containment, eradication, and recovery for security events.
- In the event of a breach affecting personal data, we will notify affected users within 72 hours of discovery — consistent with the GDPR Article 33 timeline.
- For enterprise customers with an active Data Processing Agreement (DPA), breach notification will also be sent directly to the designated security contact on record.
- Post-incident: root cause analysis is documented internally and remediation is tracked to completion. Where the breach involves a subprocessor, we coordinate directly with that vendor.
9 Compliance Posture
GDPR
CompliantSCCs in place with all subprocessors. DPA available on request for enterprise customers.
CCPA / CPRA
CompliantNo sale of personal information. California consumer rights honored on request.
SOC 2 Type II
RoadmapFormal audit preparation in progress. Targeted for completion in 2026.
ISO 27001
RoadmapTargeted after SOC 2 Type II completion.
PCI DSS
N/A — DelegatedStripe handles all card data. TalentLane is not a merchant of record for cardholder data.
EEOC / OFCCP
AdvisoryAI tools are advisory only. Employers are responsible for employment law compliance in their hiring processes.
10 Responsible Disclosure
We welcome reports of security vulnerabilities from the security community. If you believe you have found a security issue in TalentLane:
- Email security@talentlane.biz with the subject line "Vulnerability Report"
- Include: a description of the issue, steps to reproduce, and potential impact
- We will acknowledge receipt within 2 business days and provide a resolution timeline
- Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate
- We do not currently offer a bug bounty program, but we genuinely appreciate responsible disclosure from the security community
11 Contact Security Team
Security issues & vulnerability reports: security@talentlane.biz
Enterprise security reviews & questionnaires: security@talentlane.biz — subject line "Enterprise Security Review"
DPA requests: legal@talentlane.biz — or view the DPA template
Privacy requests: privacy@talentlane.biz
For enterprise security questionnaires, we aim to respond within 3 business days. Include your company name, the tool or portal you are using, and any deadline in your initial email.