Security Overview

Overview

RecruitScanner handles recruiting emails and prospect information for customer workspaces. This page summarizes the current security posture and the controls planned as RecruitScanner grows.

Access Control

• Users must authenticate before accessing the app.
• Workspace data is scoped by membership and role.
• System administration routes require system administrator access.
• Member invitation and password setup links are one-time, time-limited tokens.

Data Protection

• Production traffic is served over HTTPS.
• Database access uses managed Postgres credentials stored as deployment secrets.
• Application secrets and API keys are configured through environment variables.
• Audit logs record important account, workspace, prospect, and email-processing actions.

Email Processing

Inbound recruiting email is accepted through the configured processing mailbox and routed to a customer workspace only when the sender is authorized. Failed, unauthorized, duplicate, and needs-review messages are visible for administrative review.

AI Processing

RecruitScanner treats recruiting email content as untrusted input. The parser is instructed to ignore instructions inside forwarded email content and only extract recruiting data. Coaches should review extracted fields before use.

Planned Controls Before Broader Launch

• Formal route-level permission audit.
• Application error monitoring and failure alerts.
• Documented backup and restore procedure.
• Data retention and deletion workflow.
• Expanded usage and cost monitoring.

Contact

Security questions can be sent to support@recruitscanner.com.