greenroom

Security & Trust

Last updated: May 15, 2026 · Questions? greenroomprep@gmail.com

Greenroom screens job candidates using an AI voice interviewer. We treat the data passing through that pipeline — names, voices, transcripts, scores — as sensitive personal data, and we build accordingly. This page summarizes how.

Compliance status

FrameworkStatusNotes
GDPR (EU)LiveData export & deletion on request; lawful basis = contract / consent.
NYC Local Law 144 (AEDT)LiveCandidate-facing notice and consent on every screening. Annual bias audit summary below.
EU AI Act (high-risk recruitment AI)In progressDocumentation & human-oversight controls being rolled out ahead of 2026 enforcement.
SOC 2 Type IIIn progressObservation window open. Report expected Q4 2026. Pre-report letter available under NDA.
ISO 27001Planned 2027Following SOC 2.
HIPAA / PCI-DSSOut of scopeWe don't process health or payment-card data. Payments are tokenised via Stripe / Razorpay.

Infrastructure & data

Hosting
Application hosted on Render (US-East). Database hosted on Supabase (managed Postgres, US-East). Cloudflare in front for DDoS mitigation and TLS termination.
Encryption
TLS 1.2+ in transit (HSTS enforced). AES-256 at rest on Supabase and on object storage for audio recordings.
Authentication
Email + password (PBKDF2-SHA256, 260k iterations, per-account salt) or OAuth (Google, GitHub, LinkedIn). JWTs signed HS256. SSO/SAML available on Enterprise.
Backups
Database backed up daily with point-in-time recovery (7 days). Audio recordings retained per policy below.

Data retention

Your rights (GDPR, CCPA, LL144)

Email greenroomprep@gmail.com with proof of identity. We respond within 30 days (most under 7).

AI bias audit (NYC Local Law 144)

Greenroom's AEDT is independently audited annually. The audit measures selection-rate disparities by sex, race/ethnicity, and intersectional categories using the four-fifths rule and statistical parity tests.

Most recent audit — Q1 2026, conducted by an independent assessor.
Result — Impact ratios within acceptable range across all measured categories. Full report and methodology available on request to greenroomprep@gmail.com.
Next audit — Q1 2027.

The model evaluates job-related qualifications only: communication clarity, relevant experience, technical accuracy, and role-specific knowledge. It does not have access to candidate names, photos, addresses, or any protected characteristic during scoring.

Human oversight

Greenroom is decision-support, not decision-maker. Final hiring decisions are made by a human reviewer at the hiring company. Scorecards include the full transcript, audio, and integrity signals so reviewers can validate any AI-generated assessment.

Subprocessors

VendorPurposeLocation
RenderApplication hostingUSA
SupabaseDatabase, auth storage, object storageUSA
CloudflareCDN / DDoS / TLSGlobal
OpenAILLM (interview reasoning, scoring)USA · zero data retention API tier
ResendTransactional emailUSA / EU
StripePayments (global)USA
RazorpayPayments (India)India

Application security

Incident response

We notify affected customers within 72 hours of confirming a security incident that materially affects their data, per GDPR Art. 33. Disclosures include scope, root cause, mitigations, and customer actions required.

Responsible disclosure

Found a vulnerability? Email greenroomprep@gmail.com. We acknowledge within 48 hours and won't pursue legal action against good-faith research.

Need a DPA, SOC 2 pre-report, or security questionnaire completed?
Email greenroomprep@gmail.com — we'll respond within one business day.