Intrvio security

All traffic between candidates, employers, and Intrvio uses TLS 1.3 with modern cipher suites; HSTS is enabled with preload.

Persistent data is stored in Postgres on Supabase with disk-level AES-256 encryption. Audio recordings and transcripts live in object storage with object-level encryption keys managed by the storage provider.

Database backups are encrypted; sensitive fields (candidate identifiers, OAuth tokens) use additional column-level encryption where applicable.

Password authentication uses bcrypt hashing with per-user salts. TOTP-based MFA is available for all employer accounts and can be enforced workspace-wide.

SAML 2.0 single sign-on is available on the Scale tier for enterprise IdPs (Okta, Azure AD/Entra ID, Google Workspace).

Third-party integrations (ATS, calendars) authenticate via OAuth 2.0 with least-privilege scopes; refresh tokens are rotated and revocable.

Traffic is fronted by Vercel Edge with Cloudflare in front for DDoS protection and a configured WAF rule set.

Cloudflare Turnstile is used as a bot/abuse mitigation gate on form endpoints (signup, candidate join, sensitive actions).

Per-route rate limits are enforced; suspicious IPs are throttled and surfaced in the audit log. Geo-region tagging is applied at request time to support data-residency and AI Act regional reporting.

A strict Content-Security-Policy is enforced on all marketing and product surfaces; CSRF protection is built into form submissions; cookies are HttpOnly, SameSite=Lax, and Secure.

Tenant isolation in Postgres is enforced via Supabase Row-Level Security policies; access is validated on every request, not only at the API edge.

Every interview action — start, model output, recruiter override, export, deletion — is recorded in an append-only audit log keyed by session.

Report vulnerabilities to security@intrvio.com. We commit to acknowledging within 2 business days, providing a triage update within 7 days, and coordinating disclosure within 90 days from the initial report.

We do not threaten or pursue legal action against good-faith security research that complies with this policy. Please avoid scanning customer data, exfiltrating any data, or disrupting service.

Annual third-party penetration testing is planned starting Q3 2026 (forward-looking; the first engagement has not yet occurred).

SOC 2 Type I is in progress, target Q4 2026. ISO 27001 certification is on the 2027 roadmap.

We treat security as part of the change-management lifecycle: dependency scanning runs on every pull request, infrastructure changes are peer-reviewed, and access reviews run quarterly.