Trust Center

Security & infrastructure

Last updated: May 28, 2026

This page describes how Hirex builds, hosts, and operates the platform. It's written for the security engineer or compliance officer running your vendor review, not the marketing team.

For specific questions not answered here, email [email protected]. We respond same-day to enterprise security reviews.

Hosting and infrastructure

Hirex runs on Amazon Web Services in Ireland (eu-west-1) via the Heroku Platform-as-a-Service. Production hosting, database, file storage, and message queues are all in the EU.

The application stack:

  • Edge, Cloudflare for WAF (OWASP managed rules), L3/L4/L7 DDoS protection, bot management, TLS termination, and (for single-tenant deployments) IP allowlisting
  • Application layer, hosted on the Heroku Platform-as-a-Service
  • Database, Heroku Postgres (managed PostgreSQL)
  • Cache and queue, Heroku Redis
  • File storage, Cloudflare R2 (résumés, attachments, interview recordings)
  • Background work, asynchronous task workers on Heroku dynos

Tenant isolation

By default, Hirex runs multi-tenant: customers share infrastructure with strict logical separation. Every request and query is scoped to the tenant, so one customer's data is never reachable from another customer's session.

Customers that require it can run on a single-tenant deployment on dedicated infrastructure, on request:

  • A dedicated Heroku application instance
  • A dedicated Heroku Postgres database
  • Dedicated Heroku Redis instances
  • Tenant-specific IP allowlist enforced at the Cloudflare WAF

In a single-tenant deployment, customer data, code path, and network ingress are separated at the infrastructure level. Talk to us if single-tenant deployment is a requirement for your organisation.

Encryption

  • In transit: TLS 1.2 and TLS 1.3 with HTTP-to-HTTPS automatic redirect. Internal service-to-service traffic on Heroku is also TLS-secured. Redis connections require TLS.
  • At rest: AES-256 for Postgres, Cloudflare R2, and Heroku-managed backups.
  • Key management: managed by the underlying cloud provider, rotated per AWS/Heroku key management practice.

Access controls (Hirex personnel)

Access to production systems is restricted on the principle of least privilege.

  • A small number of named engineers have production access, granted on the basis of need
  • Mandatory multi-factor authentication for all personnel access
  • Privileged access is granted just-in-time, logged, and reviewed
  • Production database access is not used in routine support, support tooling proxies through approved interfaces
  • Hirex personnel do not access customer data except as needed to provide support, investigate a security event, or comply with a legal obligation. Every such access is logged.

Access controls (customer-side)

Customers configure their tenant's access controls through Hirex's admin interface:

  • Role-based access control (RBAC), define roles with specific permissions and visibilities; assign per-user overrides where needed
  • Single Sign-On (SSO), available on request, Azure AD / Entra ID, Google Workspace, and any SAML 2.0 identity provider
  • Two-factor authentication (2FA), available on request, TOTP-based
  • Audit logging, comprehensive log of actions in the tenant, accessible to customer administrators
  • Session controls, configurable timeout, forced re-authentication for sensitive actions

Backups and disaster recovery

  • Database backups via Heroku Postgres continuous protection, point-in-time recovery within the retention window
  • File backups via Cloudflare R2 with object versioning
  • Recovery objectives, RPO of 1 hour, RTO of 4 hours for the standard tier; tighter SLAs negotiable for enterprise
  • Backup data is encrypted and segregated from production credentials

Monitoring and incident response

The platform is monitored 24×7 via:

  • Sentry, application error tracking and crash reporting
  • Scout APM, application performance monitoring, query-level visibility
  • BetterStack / Logtail, centralized log aggregation
  • Cloudflare, WAF event logs, bot detection signals
  • Uptime monitoring with paging on availability events

We maintain a documented Incident Response Policy with defined severity classifications, escalation paths, and post-incident review procedures. Major incidents are communicated via our status page at status.gethirex.com.

In the event of a Personal Data Breach affecting customer data, we notify the affected customer without undue delay and in any event within 72 hours of becoming aware. The notification includes the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and mitigation measures taken (as set out in our Data Processing Addendum).

Secure development

  • Documented Secure Development Policy aligned with OWASP Top 10
  • Mandatory code review on every change before merge
  • Static Application Security Testing (SAST) integrated into the CI/CD pipeline
  • Dependency scanning for known vulnerabilities
  • Automated test suite must pass before deployment
  • All deployments are hot-deployed; no scheduled downtime
  • Version control via GitHub with branch protection and signed commits

We engage qualified third parties to conduct penetration testing on an annual cadence, with findings tracked to remediation. We also maintain a vulnerability disclosure programme, researchers can report findings to [email protected]. We commit to non-retaliation for good-faith disclosure.

Data retention and deletion

Customer Personal Data is retained for the duration of the customer's subscription. Customers can configure region-specific retention policies for candidate data through the application.

On termination of the customer relationship:

  • Customer data is deleted from production systems within 15 days
  • Customer data is purged from backup systems within 45 days
  • Deletion follows the NIST SP 800-88 standard for secure data destruction

Customers can export their data at any time through the application or via the API.

Certifications

ISO 27001: in progress. We follow ISO 27001 controls in practice.

SOC 2 Type II: planned to follow ISO 27001.

Underlying infrastructure: AWS is independently certified across ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3, PCI DSS, and is GDPR-aligned. Heroku is certified for ISO 27001, ISO 27017, ISO 27018, and SOC 1/2/3. Cloudflare holds ISO 27001 and SOC 2 Type II.

When ISO 27001 certification is awarded, the certificate and audit report will be available under NDA on request.

Uptime

Hirex's standard Service Level Agreement is 99.5% uptime. Historical uptime can be reviewed at status.gethirex.com.

Enterprise tier customers can negotiate higher SLAs.

Sub-processors

The complete list of third parties that process customer data on Hirex's behalf is published on our Sub-processors page. Customers are notified at least 30 days before any new sub-processor is added.

Contact

Unlock your
recruitment potential!

Hirex is the only recruitment platform you need.

Get a demo

© Hirex HR, Inc.