Security & trust

Security isn't a feature. It's the foundation.

TrueNorth handles resumes, contact details, and government IDs every day. Here's exactly how we protect that data — in plain language, with nothing hand-waved.

Get the security overview Contact security

Controls

How your data is protected.

Defense in depth — from the database up to the role that reads a single field.

Field-level PII encryption

Sensitive identifiers — SSN, PAN, Aadhaar — are encrypted at rest at the individual field level and masked to the last 4 digits. Plaintext is never returned by the API.

Role-based access control

A five-role hierarchy (from CEO to junior recruiter) with JWT authentication. Every request is authorized at the API, so users only ever reach the data their role permits.

PII access auditing

Access to sensitive candidate and employee data is logged — so there's always an answer to who viewed what, and when.

Encryption in transit

All traffic is served over TLS. The database runs on a private network and is never exposed to the public internet.

Backups & recovery

Continuous point-in-time recovery plus scheduled backups protect against data loss and let us restore to a precise moment if needed.

Regional data residency

A single, region-aware codebase runs in the US or India with data — including resume storage — kept in your region.

Data residency

Your data stays in your region.

TrueNorth runs from one codebase with a region flag — so US and India customers get the same product, with data resident where their compliance requires.

🇺🇸 United States

US instance with resume storage in a US-region bucket and US-region database. Work authorization, W-2/1099/C2C classification, and USD billing are first-class.

🇮🇳 India

India instance with resume storage in an India-region bucket. Aadhaar e-sign, PAN handling, and INR billing are supported natively — data resident in India.

Infrastructure

Built on trusted, audited infrastructure.

TrueNorth runs on SOC 2 Type II–audited cloud infrastructure. We don't claim certifications we don't hold — instead we're transparent about exactly who processes your data and why.

Sub-processor	Purpose	Data
Railway	Application hosting & PostgreSQL database	All application data (encrypted at rest)
AWS S3	Resume & document storage	Resumes, agreements (region-resident)
Google Cloud	Gemini AI parsing & matching; Drive/Gmail import	Resume text for parsing
Resend	Transactional email	Names & email addresses
Sentry	Error monitoring	Diagnostic data (PII scrubbed)

Data lifecycle

Clear retention, deletion, and response.

Retention — candidate data retained per a defined retention window, configurable to your policy.
Deletion on request — data subject and customer deletion requests handled through a defined process at privacy@truetechpro.io.
Incident response — a defined IR process with prompt customer breach notification, reachable at security@truetechpro.io.
Data processing agreements— we counter-sign customer DPAs and rely on our sub-processors' standard DPAs.
Least privilege — access to production data is restricted and destructive actions are limited to administrators.
No data resale — your data is yours. We never sell it or use it to train third-party models.