Security at Petal
Bank-grade security for your recruitment data
Enterprise-Grade Infrastructure
Our infrastructure leverages enterprise-grade security across all components, including SOC 2 Type 2 and ISO 27001 certified systems through Neon PostgreSQL and Modal. All data is encrypted both in transit (TLS 1.3) and at rest (AES-256), with CV documents stored securely in Google Cloud Storage using UK-based data centers and time-limited access URLs that expire after 15 minutes.
We've implemented a comprehensive audit trail system that tracks all document access, recording who accessed which documents, when, and from where - maintaining these logs for 7 years to meet legal compliance requirements.
Authentication & Access Control
Authentication is handled through Clerk with mandatory multi-factor authentication, secure session management, and role-based access controls. Every login attempt is monitored, and suspicious activities trigger immediate security alerts.
- •Multi-factor authentication (SMS, TOTP, backup codes)
- •Secure JWT-based session management
- •30-minute automatic session timeout
- •Role-based access controls (Admin, Reviewer, Viewer)
Document Storage & Encryption
Your Documents Are Secure
- ✓Stored in Google Cloud Storage UK data centers (europe-west2)
- ✓AES-256 encryption at rest
- ✓Time-limited signed URLs (15-minute expiry)
- ✓Immediate deletion when jobs are removed
AI Processing Security
For AI processing, we utilize Anthropic's Claude with enterprise agreements ensuring zero data retention - meaning candidate information is never stored or used for model training. Our application-layer security controls provide robust access management and complete data isolation between organizations.
Zero Data Retention Policy
Your CV data is processed securely with guarantees that:
- •No data is retained by AI providers
- •Your data is never used to train AI models
- •Processing happens in isolated environments
- •Complete data isolation between organizations
Compliance & Certifications
This architecture ensures that Petal meets UK GDPR requirements and aligns with Solicitors Regulation Authority guidance on cloud computing and data protection.
Infrastructure Partners
- • Neon: SOC 2 Type 2, ISO 27001
- • Modal: SOC 2 Type 2, HIPAA-ready
- • Google Cloud: ISO 27001, SOC 2
- • Clerk: SOC 2 Type 2, UK GDPR
Legal Compliance
- • UK GDPR compliant
- • SRA cloud guidance aligned
- • 7-year audit log retention
- • Right to deletion honored
Comprehensive Audit Trail
Every action in Petal is logged for security and compliance. Our audit system tracks:
- •Document Access: Who accessed which CV, when, and from what IP address
- •User Actions: Login attempts, settings changes, and permission modifications
- •Job Events: Creation, processing, completion, and deletion of screening jobs
- •Retention: All logs maintained for 7 years for compliance requirements
Your Security Controls
You have full control over your organization's security settings:
Access Management
Control who in your organization can access documents with role-based permissions
Data Control
Export your data anytime, delete jobs and all associated data immediately
Security Monitoring
View comprehensive audit logs of all activities in your organization
Security Best Practices
We recommend these practices to maximize your security:
- ✓Enable multi-factor authentication for all users
- ✓Use strong, unique passwords
- ✓Regularly review user access permissions
- ✓Monitor audit logs for unusual activity
- ✓Delete old jobs you no longer need
Our Security Commitment
We continuously invest in security to stay ahead of threats. Our security measures are designed to exceed industry standards while remaining user-friendly. Your trust is essential to our business, and we work every day to earn and maintain it.
We conduct regular security audits, penetration testing, and maintain 24/7 security monitoring to ensure your data remains protected.
Questions About Security?
We take security seriously and are happy to answer any questions:
Email: kamal@dove.ac