Security & Trust

How we protect your data — last updated: June 2, 2026

Our commitment

SortList handles sensitive recruiting data — resumes, candidate identities, interview feedback, and hiring decisions. We take that responsibility seriously. This page describes the technical and operational controls we have in place to keep your data safe.

Infrastructure

  • Hosting: Amazon Web Services (AWS), region us-east-2 (Ohio, USA), with isolated VPC networking.
  • Database: Managed PostgreSQL with daily automated backups and point-in-time recovery.
  • Encryption at rest: All databases, file storage, and backups are encrypted using AES-256.
  • Encryption in transit: All traffic to and from SortList is encrypted with TLS 1.2 or higher. HTTPS is enforced via HSTS.
  • Isolation: Production environments are separated from development and staging. Customer data is logically isolated by tenant (organization).

Authentication & access

  • Password storage: Passwords are hashed with bcrypt (we never store, log, or transmit plaintext passwords).
  • Sessions: Authentication uses short-lived JWT access tokens with refresh-token rotation.
  • Email verification: Required on signup.
  • Role-based access control (RBAC): Owners, admins, and recruiters have scoped permissions within their organization.
  • Multi-tenant isolation: Every database query is scoped to the requesting organization, preventing cross-tenant data access.
  • Internal access: Production access is limited to a small set of engineers, authenticated via SSH with key-based authentication.

Application security

  • Secure headers: Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy are enforced on every response.
  • Input validation: All API endpoints validate inputs using strict schemas; SQL queries use parameterized statements to prevent injection.
  • Rate limiting: Authentication endpoints are rate-limited to prevent brute-force attacks.
  • Dependency monitoring: Third-party dependencies are scanned for known vulnerabilities and updated promptly.

AI & data processing

SortList uses large language models from Anthropic and OpenAI to analyze resumes and assist with recruiter workflows. Your data:

  • Is never used to train models that serve other customers.
  • Is sent to model providers only via their API endpoints, under contractual data-processing agreements that prohibit training on customer inputs.
  • Is logically isolated by tenant — one customer's data is never visible to another.

See our sub-processors page for the full list of vendors we share data with.

Backups

Our managed database provider performs automated backups with point-in-time recovery. Backups are encrypted at rest.

Incident response

In the event of a security incident affecting customer data, we will investigate and contain it promptly, and notify affected customers in a timeframe consistent with applicable law.

Reporting a vulnerability

If you believe you've discovered a security vulnerability in SortList, please report it to security@sortlistnow.com. We ask that you give us reasonable time to investigate before public disclosure, and that you do not access, modify, or destroy customer data while testing.

Privacy & data rights

For details on how we handle personal data and the rights available to you under GDPR, DPDP, and CCPA, see our Privacy Policy.

Contact

Security questions: security@sortlistnow.com
Privacy questions: privacy@sortlistnow.com