Security is a shared responsibility. This page describes our controls. If you discover a potential vulnerability, please see our responsible disclosure process below.
Infrastructure
RoleComply is hosted on Amazon Web Services (AWS). EU customer data is stored exclusively in the eu-west-1 region (Dublin, Ireland). We use AWS-managed services with VPC isolation, private subnets, and security group controls. All infrastructure is defined as code with version-controlled configuration.
Encryption
- In transit: all communication between clients and our servers uses TLS 1.2 or higher. We enforce HTTPS with HSTS headers. TLS 1.0 and 1.1 are disabled.
- At rest: all databases and object storage are encrypted using AES-256. Database backups are encrypted with the same standard.
- Passwords: user passwords are hashed using bcrypt with a per-user salt. Plaintext passwords are never stored or logged.
Access controls
- Least-privilege principle: internal team members have access only to systems required for their role.
- Access reviews: access privileges are reviewed quarterly. Departing employees have access revoked immediately.
- Audit logging: all administrative actions on production infrastructure are logged and retained for 12 months.
Application security
- Dependency scanning: automated scanning on every code push for known vulnerabilities in third-party libraries.
- Static analysis: code is reviewed for common security issues (injection, XSS, CSRF) before deployment.
- Code review: all production changes require peer review and approval before merging.
- Session management: session tokens are rotated on login, invalidated on logout, and expire after 30 days of inactivity.
- Rate limiting: API endpoints and authentication routes are rate-limited to prevent brute-force attacks.
Data handling
We scan only the publicly accessible text of job postings — the same content visible to any job seeker. Compliance results and reports are stored and associated with your account. We do not harvest or resell candidate data.
Incident response
We maintain a documented incident response plan. In the event of a security incident:
- We investigate and contain the incident immediately upon detection.
- If personal data is compromised in a way likely to cause harm, we notify affected users and relevant supervisory authorities within 72 hours of becoming aware.
- We conduct a post-incident review to prevent recurrence.
Penetration testing
We conduct annual penetration tests carried out by an independent third party. Critical and high findings are remediated within 30 days. Results are available to enterprise customers under NDA upon request.
Sub-processors and third-party risk
We vet all sub-processors for security and data protection practices before onboarding. Key processors — AWS, Stripe, PostHog — are SOC 2 Type II certified or equivalent. A full sub-processor list is available on request at philip@rolecomply.com.
Business continuity
Automated database backups run every 6 hours with point-in-time recovery available for 30 days. Backups are stored in a separate AWS region. Our target RTO (recovery time objective) is 4 hours; our RPO (recovery point objective) is 6 hours.
Responsible disclosure
If you discover a potential security vulnerability in RoleComply, we ask that you report it to us before disclosing it publicly. Email philip@rolecomply.com with:
- A description of the vulnerability and steps to reproduce it.
- The potential impact you believe it could have.
- Your name/handle (for acknowledgement, if desired).
We commit to: acknowledge your report within 48 hours, provide an update within 7 days, remediate confirmed critical and high vulnerabilities within 30 days, and not pursue legal action against researchers acting in good faith.
Scope: In-scope: rolecomply.com and its subdomains, API endpoints, web application. Out of scope: social engineering, physical attacks, denial-of-service testing, spam, third-party services. Please do not access or modify other users' data during testing.