Security & Trust
Greenroom screens job candidates using an AI voice interviewer. We treat the data passing through that pipeline — names, voices, transcripts, scores — as sensitive personal data, and we build accordingly. This page summarizes how.
Compliance status
| Framework | Status | Notes |
|---|---|---|
| GDPR (EU) | Live | Data export & deletion on request; lawful basis = contract / consent. |
| NYC Local Law 144 (AEDT) | Live | Candidate-facing notice and consent on every screening. Annual bias audit summary below. |
| EU AI Act (high-risk recruitment AI) | In progress | Documentation & human-oversight controls being rolled out ahead of 2026 enforcement. |
| SOC 2 Type II | In progress | Observation window open. Report expected Q4 2026. Pre-report letter available under NDA. |
| ISO 27001 | Planned 2027 | Following SOC 2. |
| HIPAA / PCI-DSS | Out of scope | We don't process health or payment-card data. Payments are tokenised via Stripe / Razorpay. |
Infrastructure & data
Application hosted on Render (US-East). Database hosted on Supabase (managed Postgres, US-East). Cloudflare in front for DDoS mitigation and TLS termination.
TLS 1.2+ in transit (HSTS enforced). AES-256 at rest on Supabase and on object storage for audio recordings.
Email + password (PBKDF2-SHA256, 260k iterations, per-account salt) or OAuth (Google, GitHub, LinkedIn). JWTs signed HS256. SSO/SAML available on Enterprise.
Database backed up daily with point-in-time recovery (7 days). Audio recordings retained per policy below.
Data retention
- Candidate audio & transcripts — retained until the hiring decision is made, up to 12 months. Deleted sooner on request.
- Scorecards & integrity reports — retained for 24 months to support bias-audit reproducibility (NYC LL144 requires retention of inputs/outputs).
- Company account data — retained while the account is active; deleted within 30 days of account closure.
- Webcam video — only collected when the hiring company enables proctoring; retained for 90 days max.
Your rights (GDPR, CCPA, LL144)
- Access — request a copy of all data we hold on you.
- Deletion — request erasure of your data (account holders can also self-serve in Settings).
- Correction — request fixes to inaccurate data.
- Alternative selection process — candidates evaluated by our AEDT may request a non-automated alternative directly from the hiring company.
- Withdraw consent — stop processing at any time; we'll delete remaining session data.
Email greenroomprep@gmail.com with proof of identity. We respond within 30 days (most under 7).
AI bias audit (NYC Local Law 144)
Greenroom's AEDT is independently audited annually. The audit measures selection-rate disparities by sex, race/ethnicity, and intersectional categories using the four-fifths rule and statistical parity tests.
Result — Impact ratios within acceptable range across all measured categories. Full report and methodology available on request to greenroomprep@gmail.com.
Next audit — Q1 2027.
The model evaluates job-related qualifications only: communication clarity, relevant experience, technical accuracy, and role-specific knowledge. It does not have access to candidate names, photos, addresses, or any protected characteristic during scoring.
Human oversight
Greenroom is decision-support, not decision-maker. Final hiring decisions are made by a human reviewer at the hiring company. Scorecards include the full transcript, audio, and integrity signals so reviewers can validate any AI-generated assessment.
Subprocessors
| Vendor | Purpose | Location |
|---|---|---|
| Render | Application hosting | USA |
| Supabase | Database, auth storage, object storage | USA |
| Cloudflare | CDN / DDoS / TLS | Global |
| OpenAI | LLM (interview reasoning, scoring) | USA · zero data retention API tier |
| Resend | Transactional email | USA / EU |
| Stripe | Payments (global) | USA |
| Razorpay | Payments (India) | India |
Application security
- Passwords hashed with PBKDF2-SHA256 (260,000 iterations, per-account salt). Never logged.
- All routes that touch company data require a valid JWT and verify ownership (
company_id) on every query. - Rate limiting on authentication endpoints. Disposable email domains blocked at signup.
- Email verification required for new B2B accounts.
- Dependency vulnerabilities monitored continuously; critical CVEs patched within 7 days.
- Annual third-party penetration test (next: Q3 2026).
Incident response
We notify affected customers within 72 hours of confirming a security incident that materially affects their data, per GDPR Art. 33. Disclosures include scope, root cause, mitigations, and customer actions required.
Responsible disclosure
Found a vulnerability? Email greenroomprep@gmail.com. We acknowledge within 48 hours and won't pursue legal action against good-faith research.
Email greenroomprep@gmail.com — we'll respond within one business day.