1
Encryption
Data at Rest
- AES-256 encryption — All candidate data, audit logs, and compliance records encrypted at rest on Supabase (PostgreSQL)
- Candidate identifiers hashed before storage — Names, emails, and SSNs never stored in plaintext
- Database backups encrypted with same AES-256 standard
Data in Transit
- TLS 1.3 — All API calls, webhook payloads, and client-server communication encrypted in transit
- Enforced HTTPS across all endpoints (Render API, Netlify CDN, Auth0)
- No fallback to HTTP; mixed-content requests blocked
What We Don't Claim: We do not offer end-to-end encryption or zero-knowledge architecture. F.A.S. operates on a verified trust model where authorized compliance officers review candidate data — this by design requires decryption at the application layer for human analysis.
2
Authentication & Access Control
Role-Based Access Control (RBAC)
- Auth0 multi-tenant RBAC — Each organization isolated; no cross-tenant data leakage
- 3 Roles:
- HR Lead: Run analyses, view own company's audit results
- Compliance Officer: Review all audits, override low/medium risk flags, escalate high-risk
- Executive Sponsor: View executive summary + high-risk escalations only (scoped elevation)
Access Elevation & Dual Authorization
- Scoped elevation: Executives see candidate details only for HIGH-risk rejections requiring their override
- Dual authorization required: Baseline configuration changes require sign-off from both Compliance Officer + Executive Sponsor
- All access attempts logged with timestamp, user, and action taken
Multi-Factor Authentication (MFA)
Status: Auth0 supports MFA (TOTP, SMS, push notifications). MFA is available for enterprise clients on request; standard deployments use password + session-based authentication.
3
Data Handling & Retention
Anonymization & Hashing
- Candidate identifiers hashed before storage — Internal system uses hashed IDs; plaintext identifiers encrypted and isolated
- Audit reports display candidate reference numbers, not names (configurable by client preference)
Retention & Deletion
- 90-day deletion post-termination: Audit data auto-deletes after 90 days unless legal hold is requested
- Legal holds respected indefinitely
- Clients can request manual deletion at any time (subject to legal requirements)
GDPR & International Compliance
- GDPR Article 6 (Lawful Basis): Processing is legitimate interest + contract
- GDPR Article 21 (Right to Object): Candidates can request exclusion from future audits
- Data residency: EU candidate data stored on Supabase EU region (if requested)
- DPA available for enterprise customers
Audit Trail & Chain of Custody
- All audit decisions logged with timestamp, user, and reasoning
- Local encrypted backups maintained for 12 months for regulatory audits
4
Infrastructure Security
Architecture Overview
| Layer |
Technology |
Purpose |
| API Layer |
Render (Node.js) |
Stateless, autoscaling |
| Database |
Supabase (PostgreSQL) |
Encrypted, daily backups, HA failover |
| CDN & Hosting |
Netlify |
Edge caching, SSL/TLS termination |
| Identity & Auth |
Auth0 |
Multi-tenant, SSO, RBAC enforcement |
| Payments |
Stripe |
PCI-DSS Level 1, tokenization only |
| Notifications |
Resend |
SMTP delivery, TLS encryption |
| Audit Engine |
Anthropic (Claude API) |
Structured classification for 7-lane forensic analysis |
| Source Control |
GitHub |
Code repositories (no candidate data) |
Database Access & API Security
- No direct public database access — All queries routed through authenticated Render API with tenant verification
- Webhook endpoint validation: Valid API key + tenant signature (HMAC-SHA256)
- Rate limiting: Burst 100 req/sec; sustained 1000 req/hour
- SQL injection protection via parameterized queries
Network Security
- All inbound traffic routed through Netlify edge with bot detection
- Outbound requests from Render use fixed IP ranges (Stripe, Resend, Auth0 whitelists)
- VPC isolation: Internal services do not expose ports to public internet
Offline Backups & Chain of Custody
Offline Backup: ALS Consulting maintains AES-256 encrypted local backups of immutable audit trails and decision logs at our Winston-Salem, NC facility. Provides physical custody for chain-of-custody requirements and disaster recovery independent of cloud providers. Retrieval requires dual authorization.
Anthropic Claude API — Disclosure & Data Handling
Anthropic (Claude API) Disclosure:
- F.A.S. uses Anthropic's Claude API as a structured classification engine — not a generative decision-maker
- The 7 compliance lanes are deterministic rule-based frameworks with fixed thresholds
- Claude API parses rejection payloads and maps them to pre-defined categories
- Final risk score, blocking decision, and escalation logic are determined by ALS Consulting's proprietary code
- All Claude outputs are advisory; every flagged decision requires human review by a compliance officer before it binds
- API inputs are processed in real-time and not retained by Anthropic beyond the session
- ALS Consulting is actively negotiating a Data Processing Agreement (DPA) with Anthropic
5
Compliance & Audits
Subprocessor Compliance & Certifications
Subprocessor Compliance: Core infrastructure subprocessors maintain current SOC 2 Type II or equivalent certification where applicable:
- Supabase — SOC 2 Type II (database, backups, infrastructure)
- Render — SOC 2 Type II (application hosting, compute)
- Netlify — SOC 2 Type II (CDN, hosting)
- Auth0 — SOC 2 Type II (identity, authentication)
- Stripe — PCI-DSS Level 1 (payment processing)
- Resend — TLS 1.3 encryption (email notifications)
- GitHub — SOC 2 Type II (source control, no candidate data)
- Anthropic — Structured classification engine. API inputs processed in real-time, not retained beyond session. DPA in negotiation.
ALS Consulting Security Posture
Current Status: ALS Consulting is preparing for SOC 2 Type I assessment in Q3 2026. We do not yet hold SOC 2 certification.
Enterprise Audit Support
- Subprocessor SOC 2 Type II reports available upon request
- DPA available for enterprise contracts
- Security questionnaires responded to within 5 business days
- Penetration testing planned for Q3 2026
Regulatory Alignment
- GDPR: Lawful basis documented; DPA available; right-to-deletion honored
- CCPA: Consumer rights enforced at organization level
- HIPAA: Not in scope for F.A.S. (no PHI processing)
- State AI Laws: Audit output designed to support emerging state AI hiring regulations, including Illinois, California, and Colorado employment AI requirements
6
Incident Response
Detection & Containment
- Continuous monitoring: Render, Supabase, and Auth0 configured with real-time alerts
- Incident classification: Low / Medium / High
- High-severity containment: Isolate systems, preserve logs, revoke credentials, block endpoints
Notification Protocol
- 72-hour breach notification to affected organizations
- Notification to designated security contacts via email
- Law enforcement notification coordinated with customers' legal teams
Remediation & Recovery
- Full forensic review post-incident
- Public incident summary within 5 business days (if impact >50 users)
- Remediation status shared bi-weekly until resolved
Reporting & Communication
- Incident contact: algorithmicbiasaudits@gmail.com
- Subject line:
[SECURITY INCIDENT] Organization Name — Brief Description
- Response time: Initial acknowledgment within 2 hours; full response within 24 hours
7
Questions & Support
Security Inquiries
Vulnerability Disclosure
Updates & Change Log
Security updates published quarterly via email to registered security contacts.