How we protect your data and ours.
Confidentiality is not a feature of executive search — it is the foundation. Every system, process, and policy we operate is designed around that principle.
What we store and how we protect it.
- No PHI
Protected health information does not flow through this platform. Vanta delivery brands handle clinical data separately.
- Encryption at rest
All data stored in Neon Postgres with AES-256 encryption. Database credentials are never committed to source control.
- Encryption in transit
All connections use TLS 1.3. HSTS is enforced with a two-year max-age and preload.
- Data residency
United States. Application hosting on Vercel (US regions), database on Neon (US-East).
- Retention
Candidate PII is stored only as long as the engagement requires. Deleted upon client request or after the defined retention period.
- Access control
Restricted to authorized operators via Clerk identity management. No shared accounts. Role-based permissions.
Every search is confidential by default.
- Candidate identities are never disclosed to unauthorized parties — inside or outside the client organization.
- Search existence is never disclosed publicly. Critical for C-suite replacements and board-level transitions.
- Internal access controls enforce operator-level permissions. No shared accounts, no cross-client data visibility.
- All client engagements are governed by mutual NDA before any candidate information is exchanged.
Who processes data on our behalf.
| Provider | Purpose | Data processed | Location |
|---|---|---|---|
| Vercel | Application hosting | Page requests, server-side rendering | US |
| Neon (Postgres) | Database | Contact submissions, engagement data | US-East |
| Resend | Transactional email | Names, email addresses | US |
| Clerk | Identity & auth | Operator credentials | US |
| Anthropic (Claude) | AI copilot | Search context, anonymized candidate notes | US |
Where we stand.
SOC 2 Type II
In preparation. Security controls are designed to SOC 2 Trust Services Criteria. Formal audit planned.
GDPR
Data processing agreements available for engagements involving EU-based candidates or clients.
CCPA
California consumer privacy rights honored for all California-based candidates.
Data retention
Retention policy and right-to-delete process available on request.