Skip to main content
IL
§Trust

Security & compliance

How we protect candidate and customer data — and what we ask of any vendor in your stack.

Last updated June 2026

Interloop handles sensitive data: interview recordings, transcripts, assessment results, and proctoring signals. We design for privacy and security from the ground up. This page summarises our practices; for exactly what we collect and why, see the Privacy Policy.

Encryption

All traffic is served over HTTPS/TLS, with HSTS enforced. Data is encrypted in transit and at rest by our infrastructure providers (managed Postgres and object storage).

Browser-side biometrics

Face verification and liveness checks run in the candidate's browser — the raw biometric data never leaves their device. We record the proctoring signals (e.g. a flag that gaze left the screen), not the candidate's biometric template. This materially reduces risk versus shipping face data to a server.

Access control

  • Role-based access (RBAC) — five predefined roles (Owner, Admin, Recruiter, Hiring Manager, Viewer) scope what each team member can see and do.
  • Multi-factor authentication (MFA) for team accounts.
  • SSO / SAML available for enterprise.
  • Multi-tenant isolation — every record is scoped to its company; data is never shared across tenants.

Application security

  • A strict Content-Security-Policy and security headers (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy) on every response.
  • Rate limiting on public endpoints to prevent abuse.
  • Audit logging on data mutations, for traceability.
  • Error monitoring (Sentry) with alerting on anomalies.
  • Soft-deletes — deletions are recoverable and auditable rather than silently destructive.

Hosting & data residency

The application runs on Vercel's global edge; the primary database is managed Postgres (currently in the Sydney region), and files are stored in AWS S3. For enterprise and government buyers — particularly in the GCC, where in-Kingdom/in-region data residency is often required — regional hosting is scoped per customer. Talk to us early if residency is a requirement.

Your data rights

We support data export and erasure on request, cascading to stored files. This helps you meet candidate rights under GDPR and India's DPDP Act. See DPDP-ready AI hiring for what to check.

Compliance status

  • GDPR — supported (data export/erasure, consent, regional storage).
  • India DPDP — built DPDP-ready (consent, candidate rights, audit logging, browser-side biometrics).
  • SOC 2 — in progress; we're building toward Type II. We'll update this page as it completes (we won't claim a certification we don't hold).

Responsible disclosure

Found a vulnerability? Please email security@interloop.tech with details. We'll acknowledge and work with you on a fix; please don't publicly disclose until it's resolved.

Sub-processors

We rely on a small set of vetted infrastructure providers (hosting, database, storage, email, payments, AI). The current list is maintained in our Privacy Policy.