Skip to content

Trust & security

How Hireable protects your data: where it lives, who can see it, and what we stand behind. Written in plain English for the people who evaluate us, and for everyone who trusts us with their career. We would rather tell you plainly what we do and do not have than decorate a page with badges.

Where your data lives

Hireable runs on Google Cloud in London (europe-west2). Your profile, CVs, applications, contacts and uploaded files are all stored there.

There are named exceptions, and we list them rather than round them off. Interview practice recordings are stored in a Hireable-controlled Amazon Web Services bucket in Stockholm (eu-north-1, in the EU). Card details never touch Hireable systems at all: payments run entirely on Stripe, a PCI DSS Level 1 provider, and we hold only your plan and billing status, never payment instruments.

Encryption

Every connection travels over TLS, and browsers are instructed never to downgrade. At rest, every datastore is encrypted with AES-256 under Google-managed keys. That is a platform guarantee rather than something we built, and we say so plainly.

The most sensitive credentials we hold, such as the email tokens you grant for outreach, get a further layer of application-level encryption on top, each under its own independently rotatable key. They are decrypted only on our servers and never returned through any interface.

Who can access your data

Sign-in uses short-lived, cryptographically signed identity tokens that are verified on every request. There are no long-lived session cookies to steal, and permissions travel inside the signed token, so they cannot be forged in the browser.

For organisations, your own administrators see your organisation data and nothing else; membership is checked on every request. A small set of Hireable staff can administer the platform, and every administrative action they take is written to an append-only audit log that nothing in our software can edit or delete.

Backups and recovery

The live database is protected by daily automated backups retained for 30 days, plus a 7-day point-in-time recovery window. When data is deleted, it ages out of backups within that 30-day window.

Uptime

Business customers get a contractual commitment of 99.5% monthly uptime, with service credits if we miss it. Internally we engineer to a tighter 99.9% target, so credits should rarely trigger.

Uptime is measured by an independent monitoring check that polls our production health endpoint every 5 minutes, from outside our own infrastructure. Monthly availability data is available to business customers on request. There is no public status page yet; we would rather tell you that than promise one, and priority incidents are communicated to your administrator by email.

AI that works for you, not on you

Every AI feature in Hireable, from CV coaching to interview practice to applying on your behalf, is a tool you direct for your own benefit. No employer receives Hireable scores, rankings or assessments of you, and no hiring decision is made or informed by our systems.

Your Career Concierge is openly an AI and never pretends otherwise. Any action with a real consequence, such as sending an email or submitting job applications, is proposed first and carried out only when you explicitly confirm it.

We do not train models on your personal data. That promise is enforced in the software itself, not just written in a policy: a deployed service configured to capture personal data for training refuses to start.

GDPR and third parties

GDPR applies in full to everything we do. Business customers receive a data processing agreement in which Hireable acts as processor, covering breach notification within 48 hours, standard retention of 12 months after a programme ends, and international transfers under the UK IDTA and EU Standard Contractual Clauses.

A small set of carefully chosen third parties process data on our behalf: Google Cloud for hosting, Stripe for payments, Tavus for interview video, and others. We maintain a full subprocessor list and give business customers 30 days notice of changes, with a right to object.

What we don't claim

We hold no SOC 2 or ISO 27001 certification yet, and we would rather say so than imply otherwise. Our position instead is verifiability: every claim on this page is checked against the running platform before it ships, and we publish our engineering protections rather than keep them internal. If you are evaluating Hireable and need more depth, ask us and we will show our work.

Last reviewed: July 2026 · Questions: joe@gethireable.com